Keeping Rails Applications on Track with Brakeman

Keeping Rails Applications on Track with Brakeman

Brakeman (http://brakemanscanner.org/) is an open source static analysis tool which provides painless vulnerability scans of Rails code from "rails new" through deployment. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix.

711272a06d435ca5139b50874351cdbf?s=128

Justin Collins

May 23, 2012
Tweet

Transcript

  1. Keeping Rails Applications on Track with Brakeman Justin Collins @presidentbeef

    RailsConf 2012 1
  2. Everyone knows they “should” worry about security 2

  3. But when should you worry? 3

  4. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Idealized Software Development 4
  5. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Cost to Fix Defects 5
  6. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Cost to Fix Defects 6
  7. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  8. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  9. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  10. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  11. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  12. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  13. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  14. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  15. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Save code Cost to Fix Defects 6
  16. brakemanscanner.org github.com/presidentbeef/brakeman @brakeman 7

  17. “zero configuration” security scanning 8

  18. gem install brakeman cd my_rails_app/ brakeman 9

  19. 10

  20. gem install brakeman cd my_rails_app/ brakeman -o report.html 11

  21. 12

  22. “Confidence” View Render Location Warning Type Line Number Code Snippet

    13
  23. Line 5 14

  24. Static Analysis Detour 15

  25. Static Analysis Anything that can be determined about a program

    without actually executing it 16
  26. “But Ruby is way too dynamic for that!” 17

  27. eval(File.read(gets.strip)) 18

  28. We don’t have to know everything 19

  29. Most of the Action Happens Here Controller View Partials Filters

    20
  30. View <%= params[:user][:name] %> Start Simple: User Input in Views

    21
  31. Controller View Next: From Controllers to Views <%= @user[:name] %>

    @user = params[:user] 22
  32. Controller View Next: From Controllers to Views <%= @user[:name] %>

    @user = params[:user] 22
  33. Next: From Controllers to Views Controller View <%= params[:user][:name] %>

    @user = params[:user] 23
  34. user = params[:user] user_id = user[:id] @current_user = User.find(user_id) @current_user.update_attributes(user)

    Really Simple Data Flow 24
  35. user = params[:user] user_id = user[:id] @current_user = User.find(user_id) @current_user.update_attributes(user)

    Really Simple Data Flow 24
  36. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25
  37. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25
  38. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26
  39. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26
  40. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27
  41. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27
  42. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28
  43. Really Simple Data Flow Mass Assignment user = params[:user] user_id

    = params[:id] @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28
  44. Brakeman Can Detect... • Cross site scripting • SQL injection

    • Command injection • Unrestricted mass assignment • Unprotected redirects • Unsafe file access • Insufficient model validation • Version-specific security issues • Dangerous use of eval • Dangerous use of send • Default routes • Dynamic render paths • …and more! 29
  45. Performance Twitter Main App < 2m nventory (66c, 58m, 688t)

    ~1m Redmine (50c, 77m, 256t) ~20s Typo (34c, 47m, 113t) ~5s Brakeman 1.6.0, Ruby 1.9.3-p125 30
  46. Back to SDLC Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 31
  47. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  48. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  49. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  50. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  51. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  52. Brakeman + jenkins-ci.org open source CI server 33

  53. Brakeman + 34

  54. Brakeman + 35

  55. Brakeman Programatically require “brakeman” Brakeman.run “myapp” 36

  56. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37
  57. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37
  58. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37
  59. Brakeman + Rake brakeman --rake rake brakeman:run 38

  60. Hardcore Mode brakeman -z 39

  61. Comparing Brakeman Results brakeman -o report.json brakeman --compare report.json 40

  62. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 41
  63. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing Save code 41
  64. Fast Rescanning Brakeman supports fast rescanning of changed files* 42

  65. Fast Rescanning *If scan is kept in memory 43

  66. Brakeman + Guard group :development do gem 'guard-brakeman' end 44

  67. Brakeman + Guard guard init brakeman guard 45

  68. http://www.youtube.com/ watch?v=CMgYcr9_ONs Brakeman + Guard Demo 46

  69. Caveats 47

  70. warnings != vulnerabilities 48

  71. zero warnings does not mean zero vulnerabilities 49

  72. Brakeman is not omniscient 50

  73. Supports • Rails 2.x & 3.x • Ruby 1.8.7 &

    1.9.x • JRuby 51
  74. brakemanscanner.org github.com/presidentbeef/brakeman @brakeman 52