Fretless

Static Security Analysis of your Ruby and Rails Applications
By David Jones /

The Ruby community is blessed with a number of great tools to look over your code, and report back to you with actionable stuff that you can do to secure your application against Internet threats.

The tools we are looking at in this post are those that use a fancy technique called Static Analysis, which means that they doesn’t actually run your code, but looks for patterns, like params being used in strings that are passed to your database in an unsafe way, even if they are stored in another variable first.

This is a great way to get visibility into the security threats hiding in your application.

Lets talk about a few of them.

Brakeman

Brakeman is a security analysis tool for Rails. Its job is to look through your code and find security issues.

Let’s install Brakeman and run it over Rails Goat, an Open-Source Rails application that is intentionally insecure as a teaching tool.


git clone https://github.com/OWASP/railsgoat.git
cd railsgoat
gem install brakeman
brakeman -o brakeman-report.html
open brakeman-report.html
HTML version of the Brakeman report

In mere seconds, brakeman has crawled over the app looking for holes that could be exploited. We now have a great report on a number security issues that this application has, which are expertly pinpointed for you to go and fix. The “Warning Type” columns have links about the issue if you need to read up on why they are bad and how to fix them.

bundler-audit

Bundler-Audit crawls through your Gemfile.lock, looking for gem versions with vulnerabilities reported in the Ruby Advisory Database.

Again, let’s turn this loose on RailsGoat:


gem install bundler-audit
bundle-audit
Bundler Audit Output
Text version of Bundler-Audit output

Whoa, there’s plenty of stuff not directly in this project, but dependencies that have their own security issues. All neatly laid out with links to the advisories and a summary of the issue.

Codesake-Dawn

Codesake-Dawn is a security scanner similar to Brakeman, but suitable for any Ruby project, and not just Rails.

It seems that Dawn has a tricky dependency graph, and just installing the gem created some version dependency mismatches, so I decided to create a Gemfile and let bundler sort it out. You could also get around this by actually adding codesake-dawn to your project’s Gemfile, but I want to keep it isolated and separate.


cd ..
mkdir codesake-dawn
cd codesake-dawn
echo "source 'https://rubygems.org'; gem 'codesake-dawn'" > Gemfile
bundle install
bundle exec dawn --html -F codesake-dawn-report.html ../railsgoat/
open codesake-dawn-report.html
Codesake Dawn Output
HTML version of Codesake Dawn output

As you can see, this also found a number of issues, and there is a decent amount of overlap with the other tools, but more information is better, especially when talking about security.


As you go through and start updating gems and addressing security issues, all three of these can be run to point out issues they find without actually running a single line of your application code, so there’s zero possibility of accidentally triggering a mailer or touching the database.

You can even make them part of your Continuous Integration setup, so you can have reporting of how your application is getting more secure over time.

Pretty cool, eh?

Get out there and start securing your applications!

If you need help, contact us for a custom consultation with all of these reports and more.