Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Rails Applications on Track with Brakeman

Justin Collins
May 23, 2012
Programming
2
380

Keeping Rails Applications on Track with Brakeman

Brakeman (http://brakemanscanner.org/) is an open source static analysis tool which provides painless vulnerability scans of Rails code from "rails new" through deployment. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix.

Justin Collins

May 23, 2012
Tweet

More Decks by Justin Collins

See All by Justin Collins
Continuous (Application) Security at DevOps Velocity
presidentbeef
0
87
The Evolution of Rails Security
presidentbeef
1
560
Brakeman RailsConf 2017 Lightning Talk
presidentbeef
0
91
Practical Static Analysis for Continuous Application Security
presidentbeef
0
140
"...But Doesn't Rails Take Care of Security for Me?"
presidentbeef
1
300
Continuous Security with Practical Static Analysis
presidentbeef
1
250
Security Automation at Twitter - Rise of the Machines
presidentbeef
0
150
"Recent Rails SQL Issues" - 2012
presidentbeef
0
49
The World of Rails Security - RailsConf 2015
presidentbeef
8
1k

Other Decks in Programming

See All in Programming
Amplify Boostup #2 monorepo 運用による複数プロジェクト開発
coa00
0
140
RISC-V 命令 / ISA 拡張ピックアップ ― 最近追加されたもの、これから追加されるもの、議論が進みつつあるもの
a4lg
0
120
SymfonyLive Paris 2023: Scheduler
fabpot
3
1.8k
Learning PHP with PHP Parser
inouehi
1
420
特徴、魅力を知って、各PHPフレームワークを使いこなそう! / PHPerkaigi 2023
hitoshi_a0
0
270
実録レガシー Rails アプリ改善ジャーニー / Legacy Rails app improvement journey
shutooike
3
150
eslint-flat-config
t_keshi
1
230
PHPの配列とデータ構造 / PHPerKaigi 2023
meihei3
0
370
Laravelへの異常な愛情 または私は如何にして心配するのを止めてEloquentを愛するようになったか
kentaroutakeda
8
3.7k
AT Protocol (BlueSky Social)仕様解説 ~ W3C DID仕様を添えて ~
gpsnmeajp
0
150
#phperkaigi 名著「パーフェクトPHP」のPart3に出てきたフレームワークを令和5年に書き直したらどんな感じですかね?
o0h
PRO
1
1.1k
PHP8によるデザインパターン入門 / Introduction to Design Patterns with PHP8
fendo181
1
750

Featured

See All Featured
Designing with Data
zakiwarfel
91
4.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
480
Building Adaptive Systems
keathley
29
1.4k
Agile that works and the tools we love
rasmusluckow
321
20k
Ruby is Unlike a Banana
tanoku
93
9.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
Making the Leap to Tech Lead
cromwellryan
118
7.7k
Robots, Beer and Maslow
schacon
154
7.4k
Unsuck your backbone
ammeep
660
56k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
8
680

Transcript

  1. Keeping Rails Applications
    on Track with Brakeman
    Justin Collins
    @presidentbeef
    RailsConf 2012
    1

    View Slide

  2. Everyone knows they “should”
    worry about security
    2

    View Slide

  3. But when should you worry?
    3

    View Slide

  4. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Idealized Software Development
    4

    View Slide

  5. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Cost to Fix Defects
    5

    View Slide

  6. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Cost to Fix Defects
    6

    View Slide

  7. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  8. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  9. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  10. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  11. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  12. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  13. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  14. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Cost to Fix Defects
    6

    View Slide

  15. Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Security Review
    Save
    code
    Cost to Fix Defects
    6

    View Slide

  16. brakemanscanner.org
    github.com/presidentbeef/brakeman
    @brakeman
    7

    View Slide

  17. “zero configuration”
    security scanning
    8

    View Slide

  18. gem install brakeman
    cd my_rails_app/
    brakeman
    9

    View Slide

  19. 10

    View Slide

  20. gem install brakeman
    cd my_rails_app/
    brakeman -o report.html
    11

    View Slide

  21. 12

    View Slide

  22. “Confidence” View
    Render
    Location
    Warning Type
    Line Number Code Snippet
    13

    View Slide

  23. Line 5
    14

    View Slide

  24. Static Analysis Detour
    15

    View Slide

  25. Static Analysis
    Anything that can be determined about a program
    without actually executing it
    16

    View Slide

  26. “But Ruby is way too dynamic
    for that!”
    17

    View Slide

  27. eval(File.read(gets.strip))
    18

    View Slide

  28. We don’t have to know
    everything
    19

    View Slide

  29. Most of the Action Happens Here
    Controller View Partials
    Filters
    20

    View Slide

  30. View

    Start Simple:
    User Input in Views
    21

    View Slide

  31. Controller
    View
    Next: From Controllers to Views

    @user = params[:user]
    22

    View Slide

  32. Controller
    View
    Next: From Controllers to Views

    @user = params[:user]
    22

    View Slide

  33. Next: From Controllers to Views
    Controller
    View

    @user = params[:user]
    23

    View Slide

  34. user = params[:user]
    user_id = user[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    Really Simple Data Flow
    24

    View Slide

  35. user = params[:user]
    user_id = user[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    Really Simple Data Flow
    24

    View Slide

  36. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    25

    View Slide

  37. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(user_id)
    @current_user.update_attributes(user)
    25

    View Slide

  38. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    @current_user.update_attributes(user)
    26

    View Slide

  39. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    @current_user.update_attributes(user)
    26

    View Slide

  40. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(user)
    27

    View Slide

  41. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(user)
    27

    View Slide

  42. Really Simple Data Flow
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(params[:user])
    28

    View Slide

  43. Really Simple Data Flow
    Mass
    Assignment
    user = params[:user]
    user_id = params[:id]
    @current_user = User.find(params[:user][:id])
    User.find(params[:user][:id]).update_attributes(params[:user])
    28

    View Slide

  44. Brakeman Can Detect...
    • Cross site scripting
    • SQL injection
    • Command injection
    • Unrestricted mass assignment
    • Unprotected redirects
    • Unsafe file access
    • Insufficient model validation
    • Version-specific security issues
    • Dangerous use of eval
    • Dangerous use of send
    • Default routes
    • Dynamic render paths
    • …and more!
    29

    View Slide

  45. Performance
    Twitter Main App < 2m
    nventory
    (66c, 58m, 688t)
    ~1m
    Redmine
    (50c, 77m, 256t)
    ~20s
    Typo
    (34c, 47m, 113t)
    ~5s
    Brakeman 1.6.0, Ruby 1.9.3-p125
    30

    View Slide

  46. Back to SDLC
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    31

    View Slide

  47. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  48. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  49. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  50. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  51. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    32

    View Slide

  52. Brakeman +
    jenkins-ci.org
    open source CI server
    33

    View Slide

  53. Brakeman +
    34

    View Slide

  54. Brakeman +
    35

    View Slide

  55. Brakeman Programatically
    require “brakeman”
    Brakeman.run “myapp”
    36

    View Slide

  56. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  57. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  58. Run Brakeman Anytime
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    37

    View Slide

  59. Brakeman + Rake
    brakeman --rake
    rake brakeman:run
    38

    View Slide

  60. Hardcore Mode
    brakeman -z
    39

    View Slide

  61. Comparing Brakeman Results
    brakeman -o report.json
    brakeman --compare report.json
    40

    View Slide

  62. Brakeman...All the Time?
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    41

    View Slide

  63. Brakeman...All the Time?
    Write
    code
    Run
    tests
    Deploy
    code
    Commit
    code
    Push to
    CI server
    Code
    review
    QA
    Testing
    Save
    code
    41

    View Slide

  64. Fast Rescanning
    Brakeman supports fast
    rescanning of changed files*
    42

    View Slide

  65. Fast Rescanning
    *If scan is kept in memory
    43

    View Slide

  66. Brakeman + Guard
    group :development do
    gem 'guard-brakeman'
    end
    44

    View Slide

  67. Brakeman + Guard
    guard init brakeman
    guard
    45

    View Slide

  68. http://www.youtube.com/
    watch?v=CMgYcr9_ONs
    Brakeman + Guard Demo
    46

    View Slide

  69. Caveats
    47

    View Slide

  70. warnings != vulnerabilities
    48

    View Slide

  71. zero warnings
    does not mean
    zero vulnerabilities
    49

    View Slide

  72. Brakeman is not omniscient
    50

    View Slide

  73. Supports
    • Rails 2.x & 3.x
    • Ruby 1.8.7 & 1.9.x
    • JRuby
    51

    View Slide

  74. brakemanscanner.org
    github.com/presidentbeef/brakeman
    @brakeman
    52

    View Slide