Scan security of your Rails app with Brakeman

Transcript

1. Brakeman Romain Sempé @rsempe https://github.com/rsempe Scan security of your Rails

   app jeudi, 15 novembre 12

2. Web vulnerabilities Results of a recent survey on web apps:

   - 68% Cross site scripting issues - 32% SQL Injection Harder to manually test the security when apps grow larger! jeudi, 15 novembre 12

3. User.first("login = '#{params[:name]}' AND password = '#{params[:password]}'") Inputs: ' OR

   '1' = '1 SQL query result: SELECT * FROM users WHERE login = ' ' OR '1'='1' AND password = ' ' OR '1'='1' LIMIT 1; E.g SQL Injection jeudi, 15 novembre 12

4. <%= "Hello #{params[:name]}" %> Input: <script>alert('attacked')</script> E.g Cross Site Scripting

   (XSS) jeudi, 15 novembre 12

5. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.

   jeudi, 15 novembre 12

6. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.

   Mass assignment strategy update (not whitelisted by default). jeudi, 15 novembre 12

7. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.

   Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. jeudi, 15 novembre 12

8. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.

   Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). jeudi, 15 novembre 12

9. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.

   Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https. jeudi, 15 novembre 12

10. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.

    Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https. No more SQL Injections with ActiveRecord. jeudi, 15 novembre 12

11. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.

    Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https. No more SQL Injections with ActiveRecord. And much more... jeudi, 15 novembre 12

12. A lot of commits about security each month on Rails!

    jeudi, 15 novembre 12

13. But how/when measuring the security issues of our Rails application?

    jeudi, 15 novembre 12

14. Brakeman gem Only compatible with Rails. Inspect the source code

    and produce a report. Zero configuration required. Can be run at any stage of the development. jeudi, 15 novembre 12

15. Brakeman detections - Cross Site scripting - SQL Injection /

    Commands Injection - Unrestricted Mass assignments - Unsafe redirects - Unsafe file access - Insufficient model validations - ... and so on! jeudi, 15 novembre 12

16. Cost to fix defects Picture from RailsConf 2012 http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf

    jeudi, 15 novembre 12

17. $ gem install brakeman $ brakeman (-o report.html) jeudi, 15

    novembre 12

18. jeudi, 15 novembre 12

19. jeudi, 15 novembre 12

20. Now, coding! jeudi, 15 novembre 12

21. Jenkins Integration jeudi, 15 novembre 12

22. « Zero warnings does not mean zero vulnerabilities » Justin

    Collins - RailsConf 2012 http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf jeudi, 15 novembre 12

23. http://brakemanscanner.org/ https://github.com/presidentbeef/brakeman @brakeman http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf http://railscasts.com/episodes/358-brakeman jeudi, 15 novembre 12