Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Rails Applications on Track with Brakeman

Keeping Rails Applications on Track with Brakeman

Brakeman (http://brakemanscanner.org/) is an open source static analysis tool which provides painless vulnerability scans of Rails code from "rails new" through deployment. Running Brakeman as a part of continuous integration provides feedback during all stages of development and can alert developers immediately when a potential vulnerability is introduced. Bringing security testing as close to the developer as possible (even scanning as files are saved) means security problems are caught faster - and the sooner problems are found the cheaper they are to fix.

Justin Collins

May 23, 2012
Tweet

More Decks by Justin Collins

Other Decks in Programming

Transcript

  1. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Idealized Software Development 4
  2. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Cost to Fix Defects 5
  3. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Cost to Fix Defects 6
  4. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  5. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  6. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  7. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  8. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  9. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  10. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  11. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Cost to Fix Defects 6
  12. Write code Run tests Deploy code Commit code Push to

    CI server Code review QA Testing Security Review Save code Cost to Fix Defects 6
  13. 10

  14. 12

  15. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25
  16. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(user_id) @current_user.update_attributes(user) 25
  17. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26
  18. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) @current_user.update_attributes(user) 26
  19. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27
  20. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(user) 27
  21. Really Simple Data Flow user = params[:user] user_id = params[:id]

    @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28
  22. Really Simple Data Flow Mass Assignment user = params[:user] user_id

    = params[:id] @current_user = User.find(params[:user][:id]) User.find(params[:user][:id]).update_attributes(params[:user]) 28
  23. Brakeman Can Detect... • Cross site scripting • SQL injection

    • Command injection • Unrestricted mass assignment • Unprotected redirects • Unsafe file access • Insufficient model validation • Version-specific security issues • Dangerous use of eval • Dangerous use of send • Default routes • Dynamic render paths • …and more! 29
  24. Performance Twitter Main App < 2m nventory (66c, 58m, 688t)

    ~1m Redmine (50c, 77m, 256t) ~20s Typo (34c, 47m, 113t) ~5s Brakeman 1.6.0, Ruby 1.9.3-p125 30
  25. Back to SDLC Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 31
  26. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  27. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  28. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  29. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  30. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 32
  31. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37
  32. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37
  33. Run Brakeman Anytime Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 37
  34. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing 41
  35. Brakeman...All the Time? Write code Run tests Deploy code Commit

    code Push to CI server Code review QA Testing Save code 41