$30 off During Our Annual Pro Sale. View Details »

Keeping Rails Applications on Track with Brakeman

Justin Collins
May 23, 2012
Programming
2
410

Keeping Rails Applications on Track with Brakeman

Brakeman (http://brakemanscanner.org/) is an open source static analysis tool which provides painless vulnerability scans of Rails code from "rails new" through deployment. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix.

Justin Collins

May 23, 2012
Tweet

More Decks by Justin Collins

See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
110
The Evolution of Rails Security
presidentbeef
1
620
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
96
Practical Static Analysis for Continuous Application Security
presidentbeef
0
150
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
310
Continuous Security with Practical Static Analysis
presidentbeef
1
250
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
150
"Recent Rails SQL Issues" - 2012
presidentbeef
0
53
The World of Rails Security - RailsConf 2015
presidentbeef
8
1k

Other Decks in Programming

See All in Programming
非同期ツールキット「Vert.x」のご紹介
masatoshiitoh
0
120
10年モノのAndroidアプリのコード品質を改善していく、3つの取り組み
okuzawats
0
670
DMMプラットフォームにおけるコード品質を改善する取り組みの理想と現実
pospome
3
1.8k
安心してリリース!〜Blue/Greenデプロイ戦略の実体験〜 - NIFTY Tech Day 2023
niftycorp
0
140
Modern Java for the Masses! Is Java Still Relevant?
deepu105
1
460
Better Code Design in PHP
afilina
PRO
1
390
弊社の開発体験の良いところは?メンバーに訊いてみた!
texmeijin
0
190
Input object ではじめる入力値検証/input-value-validation-using-input-object
sanfrecce_osaka
0
200
Gatlingによる負荷テスト入門
irof
6
570
進化したWeb技術でPWAをネイティブアプリに近づける / frontend-conf-2023
yuhei_fujita
6
2.6k
Voicyの生放送リスナー画面で パフォーマンスチューニングした話
miyuki2203
0
120
Comment choisir les « bons » composants open source ? (Capitole du Libre 2023)
pylapp
0
110

Featured

See All Featured
Into the Great Unknown - MozCon
thekraken
7
660
Git: the NoSQL Database
bkeepers
PRO
420
62k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
177
10k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
How to Ace a Technical Interview
jacobian
272
22k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
Become a Pro
speakerdeck
PRO
8
3.6k
How To Stay Up To Date on Web Technology
chriscoyier
780
250k
The Invisible Side of Design
smashingmag
291
49k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.8k

Transcript

  1. Keeping Rails Applications
    on Track with Brakeman
    Justin Collins
    @presidentbeef
    RailsConf 2012
    1

    View Slide

  2. Everyone knows they “should”
    worry about security
    2

    View Slide

  3. But when should you worry?
    3

    View Slide

  4. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Idealized Software Development
    4

    View Slide

  5. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Cost to Fix Defects
    5

    View Slide

  6. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Cost to Fix Defects
    6

    View Slide

  7. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  8. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  9. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  10. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  11. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  12. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  13. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  14. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  15. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Save
    code
    Cost to Fix Defects
    6

    View Slide

  16. brakemanscanner.org
    github.com/presidentbeef/brakeman
    @brakeman
    7

    View Slide

  17. “zero configuration”
    security scanning
    8

    View Slide

  18. gem install brakeman
    cd my_rails_app/
    brakeman
    9

    View Slide

  19. 10

    View Slide

  20. gem install brakeman
    cd my_rails_app/
    brakeman -o report.html
    11

    View Slide

  21. 12

    View Slide

  22. “Confidence” View
    Render
    Location
    Warning Type
    Line Number Code Snippet
    13

    View Slide

  23. Line 5
    14

    View Slide

  24. Static Analysis Detour
    15

    View Slide

  25. Static Analysis
    Anything that can be determined about a program
    without actually executing it
    16

    View Slide

  26. “But Ruby is way too dynamic
    for that!”
    17

    View Slide

  27. eval(File.read(gets.strip))
    18

    View Slide

  28. We don’t have to know
    everything
    19

    View Slide

  29. Most of the Action Happens Here
    Controller View Partials
    Filters
    20

    View Slide

  30. View
    <%= params[:user][:name] %>
    Start Simple:
    User Input in Views
    21

    View Slide

  31. Controller
    View
    Next: From Controllers to Views
    <%= @user[:name] %>
    @user = params[:user]
    22

    View Slide

  32. Controller
    View
    Next: From Controllers to Views
    <%= @user[:name] %>
    @user = params[:user]
    22

    View Slide

  33. Next: From Controllers to Views
    Controller
    View
    <%= params[:user][:name] %>
    @user = params[:user]
    23

    View Slide

  34. user = params[:user]
    user_id = user[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    Really Simple Data Flow
    24

    View Slide

  35. user = params[:user]
    user_id = user[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    Really Simple Data Flow
    24

    View Slide

  36. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    25

    View Slide

  37. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    25

    View Slide

  38. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    @current_user.update_attributes(user)
    26

    View Slide

  39. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    @current_user.update_attributes(user)
    26

    View Slide

  40. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(user)
    27

    View Slide

  41. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(user)
    27

    View Slide

  42. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(params[:user])
    28

    View Slide

  43. Really Simple Data Flow
    Mass
    Assignment
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(params[:user])
    28

    View Slide

  44. Brakeman Can Detect...
    • Cross site scripting
    • SQL injection
    • Command injection
    • Unrestricted mass assignment
    • Unprotected redirects
    • Unsafe file access
    • Insufficient model validation
    • Version-specific security issues
    • Dangerous use of eval
    • Dangerous use of send
    • Default routes
    • Dynamic render paths
    • …and more!
    29

    View Slide

  45. Performance
    Twitter Main App < 2m
    nventory
    (66c, 58m, 688t)
    ~1m
    Redmine
    (50c, 77m, 256t)
    ~20s
    Typo
    (34c, 47m, 113t)
    ~5s
    Brakeman 1.6.0, Ruby 1.9.3-p125
    30

    View Slide

  46. Back to SDLC
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    31

    View Slide

  47. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  48. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  49. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  50. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  51. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  52. Brakeman +
    jenkins-ci.org
    open source CI server
    33

    View Slide

  53. Brakeman +
    34

    View Slide

  54. Brakeman +
    35

    View Slide

  55. Brakeman Programatically
    require “brakeman”
    Brakeman.run “myapp”
    36

    View Slide

  56. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  57. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  58. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  59. Brakeman + Rake
    brakeman --rake
    rake brakeman:run
    38

    View Slide

  60. Hardcore Mode
    brakeman -z
    39

    View Slide

  61. Comparing Brakeman Results
    brakeman -o report.json
    brakeman --compare report.json
    40

    View Slide

  62. Brakeman...All the Time?
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    41

    View Slide

  63. Brakeman...All the Time?
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Save
    code
    41

    View Slide

  64. Fast Rescanning
    Brakeman supports fast
    rescanning of changed files*
    42

    View Slide

  65. Fast Rescanning
    *If scan is kept in memory
    43

    View Slide

  66. Brakeman + Guard
    group :development do
    gem 'guard-brakeman'
    end
    44

    View Slide

  67. Brakeman + Guard
    guard init brakeman
    guard
    45

    View Slide

  68. http://www.youtube.com/
    watch?v=CMgYcr9_ONs
    Brakeman + Guard Demo
    46

    View Slide

  69. Caveats
    47

    View Slide

  70. warnings != vulnerabilities
    48

    View Slide

  71. zero warnings
    does not mean
    zero vulnerabilities
    49

    View Slide

  72. Brakeman is not omniscient
    50

    View Slide

  73. Supports
    • Rails 2.x & 3.x
    • Ruby 1.8.7 & 1.9.x
    • JRuby
    51

    View Slide

  74. brakemanscanner.org
    github.com/presidentbeef/brakeman
    @brakeman
    52

    View Slide