SlideShare a Scribd company logo

Brakeman

Download as KEY, PDF
Romain Sempé
Romain Sempé

The document discusses Brakeman, a static analysis security vulnerability scanner for Ruby on Rails applications. It begins by noting common web application vulnerabilities like cross-site scripting and SQL injection. It then demonstrates examples of these vulnerabilities in Rails code and outlines Rails' built-in security strategies. The document promotes using the Brakeman gem to scan Rails apps for security issues with no configuration required. It claims Brakeman can detect a variety of vulnerability types and integrates with Jenkins. Finally, it cautions that passing a Brakeman scan does not guarantee an app is vulnerability-free.

Technology
1 of 23
Brakeman Scan security of your Rails app Romain Sempé @rsempe https://github.com/rsempe
Web vulnerabilities Results of a recent survey on web apps: - 68% Cross site scripting issues - 32% SQL Injection Harder to manually test the security when apps grow larger!
E.g SQL Injection User.first("login = '#{params[:name]}' AND password = '#{params[:password]}'") Inputs: ' OR '1' = '1 SQL query result: SELECT * FROM users WHERE login = ' ' OR '1'='1' AND password = ' ' OR '1'='1' LIMIT 1;
E.g Cross Site Scripting (XSS) <%= "Hello #{params[:name]}" %> Input: <script>alert('attacked')</script>
Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.
Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default).
Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token.
Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest).
Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https.
Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https. No more SQL Injections with ActiveRecord.
Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https. No more SQL Injections with ActiveRecord. And much more...
A lot of commits about security each month on Rails!
But how/when measuring the security issues of our Rails
Brakeman gem Only compatible with Rails. Inspect the source code and produce a report. Zero configuration required. Can be run at any stage of the development.
Brakeman detections - Cross Site scripting - SQL Injection / Commands Injection - Unrestricted Mass assignments - Unsafe redirects - Unsafe file access - Insufficient model validations - ... and so on!
Cost to fix defects Picture from RailsConf 2012 http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf
$ gem install brakeman $ brakeman (-o report.html)
Now, coding!
Jenkins Integration
« Zero warnings does not mean zero vulnerabilities » Justin Collins - RailsConf 2012 http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf
http://brakemanscanner.org/ https://github.com/presidentbeef/brakeman @brakeman http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf http://railscasts.com/episodes/358-brakeman

Recommended

Ajax Security
Ajax SecurityAjax Security
Ajax Security
Roberto Suggi Liverani
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)
Cloudways
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
Performance testing automation with Dynatrace @LDNWebPerf - AndreasGrabner
Performance testing automation with Dynatrace @LDNWebPerf - AndreasGrabnerPerformance testing automation with Dynatrace @LDNWebPerf - AndreasGrabner
Performance testing automation with Dynatrace @LDNWebPerf - AndreasGrabner
Stephen Thair
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
 

Recommended

Ajax Security
Ajax SecurityAjax Security
Ajax Security
Roberto Suggi Liverani
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)How to Install Magento on Google Cloud Engine (GCE)
How to Install Magento on Google Cloud Engine (GCE)
Cloudways
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing toolUsing the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
Performance testing automation with Dynatrace @LDNWebPerf - AndreasGrabner
Performance testing automation with Dynatrace @LDNWebPerf - AndreasGrabnerPerformance testing automation with Dynatrace @LDNWebPerf - AndreasGrabner
Performance testing automation with Dynatrace @LDNWebPerf - AndreasGrabner
Stephen Thair
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
 
PWA power
PWA powerPWA power
PWA power
Gabriele Falasca
 
WSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - MicrogatewayWSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - Microgateway
Profesia Srl, Lynx Group
 
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
Amazon Web Services
 
Web Browser Scripting
Web Browser ScriptingWeb Browser Scripting
Web Browser Scripting
Mathias Roth
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
iMacros Web Testing
iMacros Web TestingiMacros Web Testing
iMacros Web Testing
Mathias Roth
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring Boot
Joshua Long
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Brakeman Gem
Brakeman GemBrakeman Gem
Brakeman Gem
Creston Jamison
 
Afrihost
AfrihostAfrihost
AfrihostKîng RúÐî
 
Malaysia kekal berdaulat rumusan p1
Malaysia kekal berdaulat rumusan p1Malaysia kekal berdaulat rumusan p1
Malaysia kekal berdaulat rumusan p1
Adlin Salsain
 
Equality in Ruby
Equality in RubyEquality in Ruby
Equality in RubyRomain Sempé
 
Chapter 12
Chapter 12Chapter 12
Chapter 12ericastevens
 
Water and Waste Services
Water and Waste ServicesWater and Waste Services
Water and Waste ServicesSteve_Dean
 
Radke garrett visual_resume
Radke garrett visual_resumeRadke garrett visual_resume
Radke garrett visual_resumegradke5
 
Bata kenya batahome_buyonline _1
Bata kenya batahome_buyonline _1Bata kenya batahome_buyonline _1
Bata kenya batahome_buyonline _1Frankie Mwendah
 
UX Design for Long-Term Results
UX Design for Long-Term ResultsUX Design for Long-Term Results
UX Design for Long-Term Results
Trebbble
 
เวกเตอร์และสเกลาร์ พื้นฐาน
เวกเตอร์และสเกลาร์ พื้นฐานเวกเตอร์และสเกลาร์ พื้นฐาน
เวกเตอร์และสเกลาร์ พื้นฐานGl Start
 
Bata home online shopping procedure
Bata home online shopping procedureBata home online shopping procedure
Bata home online shopping procedureFrankie Mwendah
 
Informe del impacto de audi en instagram
Informe del impacto de audi en instagramInforme del impacto de audi en instagram
Informe del impacto de audi en instagramalerties
 
Ch 2 ppt
Ch 2 pptCh 2 ppt
Ch 2 pptericastevens
 

More Related Content

What's hot

PWA power
PWA powerPWA power
PWA power
Gabriele Falasca
 
WSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - MicrogatewayWSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - Microgateway
Profesia Srl, Lynx Group
 
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
Amazon Web Services
 
Web Browser Scripting
Web Browser ScriptingWeb Browser Scripting
Web Browser Scripting
Mathias Roth
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
Anant Shrivastava
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
iMacros Web Testing
iMacros Web TestingiMacros Web Testing
iMacros Web Testing
Mathias Roth
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring Boot
Joshua Long
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Brakeman Gem
Brakeman GemBrakeman Gem
Brakeman Gem
Creston Jamison
 

What's hot (10)

PWA power
PWA powerPWA power
PWA power
 
WSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - MicrogatewayWSO2 Italia Open Break Session #2 - Microgateway
WSO2 Italia Open Break Session #2 - Microgateway
 
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014
 
Web Browser Scripting
Web Browser ScriptingWeb Browser Scripting
Web Browser Scripting
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
OWASP Zed Attack Proxy
OWASP Zed Attack ProxyOWASP Zed Attack Proxy
OWASP Zed Attack Proxy
 
iMacros Web Testing
iMacros Web TestingiMacros Web Testing
iMacros Web Testing
 
Microservices with Spring Boot
Microservices with Spring BootMicroservices with Spring Boot
Microservices with Spring Boot
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
Brakeman Gem
Brakeman GemBrakeman Gem
Brakeman Gem
 

Viewers also liked

Malaysia kekal berdaulat rumusan p1
Malaysia kekal berdaulat rumusan p1Malaysia kekal berdaulat rumusan p1
Malaysia kekal berdaulat rumusan p1
Adlin Salsain
 
Water and Waste Services
Water and Waste ServicesWater and Waste Services
Water and Waste ServicesSteve_Dean
 
Radke garrett visual_resume
Radke garrett visual_resumeRadke garrett visual_resume
Radke garrett visual_resumegradke5
 
Bata kenya batahome_buyonline _1
Bata kenya batahome_buyonline _1Bata kenya batahome_buyonline _1
Bata kenya batahome_buyonline _1Frankie Mwendah
 
UX Design for Long-Term Results
UX Design for Long-Term ResultsUX Design for Long-Term Results
UX Design for Long-Term Results
Trebbble
 
เวกเตอร์และสเกลาร์ พื้นฐาน
เวกเตอร์และสเกลาร์ พื้นฐานเวกเตอร์และสเกลาร์ พื้นฐาน
เวกเตอร์และสเกลาร์ พื้นฐานGl Start
 
Bata home online shopping procedure
Bata home online shopping procedureBata home online shopping procedure
Bata home online shopping procedureFrankie Mwendah
 
Informe del impacto de audi en instagram
Informe del impacto de audi en instagramInforme del impacto de audi en instagram
Informe del impacto de audi en instagramalerties
 
Introduction to Networked Dynamical Systems with focus on Distributed Coordin...
Introduction to Networked Dynamical Systems with focus on Distributed Coordin...Introduction to Networked Dynamical Systems with focus on Distributed Coordin...
Introduction to Networked Dynamical Systems with focus on Distributed Coordin...
Marzieh Nabi
 
Karangan pertahanan awam
Karangan pertahanan awamKarangan pertahanan awam
Karangan pertahanan awamAdlin Salsain
 
Mobile Functional Beauty - Trebbble
Mobile Functional Beauty - TrebbbleMobile Functional Beauty - Trebbble
Mobile Functional Beauty - Trebbble
Trebbble
 

Viewers also liked (20)

Afrihost
AfrihostAfrihost
Afrihost
 
Malaysia kekal berdaulat rumusan p1
Malaysia kekal berdaulat rumusan p1Malaysia kekal berdaulat rumusan p1
Malaysia kekal berdaulat rumusan p1
 
Equality in Ruby
Equality in RubyEquality in Ruby
Equality in Ruby
 
Chapter 12
Chapter 12Chapter 12
Chapter 12
 
Water and Waste Services
Water and Waste ServicesWater and Waste Services
Water and Waste Services
 
Radke garrett visual_resume
Radke garrett visual_resumeRadke garrett visual_resume
Radke garrett visual_resume
 
Bata kenya batahome_buyonline _1
Bata kenya batahome_buyonline _1Bata kenya batahome_buyonline _1
Bata kenya batahome_buyonline _1
 
UX Design for Long-Term Results
UX Design for Long-Term ResultsUX Design for Long-Term Results
UX Design for Long-Term Results
 
เวกเตอร์และสเกลาร์ พื้นฐาน
เวกเตอร์และสเกลาร์ พื้นฐานเวกเตอร์และสเกลาร์ พื้นฐาน
เวกเตอร์และสเกลาร์ พื้นฐาน
 
Bata home online shopping procedure
Bata home online shopping procedureBata home online shopping procedure
Bata home online shopping procedure
 
Informe del impacto de audi en instagram
Informe del impacto de audi en instagramInforme del impacto de audi en instagram
Informe del impacto de audi en instagram
 
Ch 2 ppt
Ch 2 pptCh 2 ppt
Ch 2 ppt
 
Ch 10 ppt
Ch 10 pptCh 10 ppt
Ch 10 ppt
 
Introduction to Networked Dynamical Systems with focus on Distributed Coordin...
Introduction to Networked Dynamical Systems with focus on Distributed Coordin...Introduction to Networked Dynamical Systems with focus on Distributed Coordin...
Introduction to Networked Dynamical Systems with focus on Distributed Coordin...
 
Ch 5 ppt
Ch 5 pptCh 5 ppt
Ch 5 ppt
 
Karangan pertahanan awam
Karangan pertahanan awamKarangan pertahanan awam
Karangan pertahanan awam
 
Ch 7 ppt
Ch 7 pptCh 7 ppt
Ch 7 ppt
 
Chapter 11
Chapter 11Chapter 11
Chapter 11
 
Chapter 13
Chapter 13Chapter 13
Chapter 13
 
Mobile Functional Beauty - Trebbble
Mobile Functional Beauty - TrebbbleMobile Functional Beauty - Trebbble
Mobile Functional Beauty - Trebbble
 

Similar to Brakeman

Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
Uri Nativ
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
PROIDEA
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
johnwilander
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
Kevin Hakanson
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
testuser1223
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
Simon Willison
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Xlator
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
Frank Kim
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
Jim Manico
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
Amazon Web Services
 

Similar to Brakeman (20)

Web Application Security in Rails
Web Application Security in RailsWeb Application Security in Rails
Web Application Security in Rails
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Web Security Horror Stories
Web Security Horror StoriesWeb Security Horror Stories
Web Security Horror Stories
 
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
Jim Manico: Developer Top 10 Core Controls, web application security @ OWASP ...
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 

Recently uploaded

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 

Recently uploaded (20)

DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 

Brakeman

  • 1. Brakeman Scan security of your Rails app Romain Sempé @rsempe https://github.com/rsempe
  • 2. Web vulnerabilities Results of a recent survey on web apps: - 68% Cross site scripting issues - 32% SQL Injection Harder to manually test the security when apps grow larger!
  • 3. E.g SQL Injection User.first("login = '#{params[:name]}' AND password = '#{params[:password]}'") Inputs: ' OR '1' = '1 SQL query result: SELECT * FROM users WHERE login = ' ' OR '1'='1' AND password = ' ' OR '1'='1' LIMIT 1;
  • 4. E.g Cross Site Scripting (XSS) <%= "Hello #{params[:name]}" %> Input: <script>alert('attacked')</script>
  • 5. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe.
  • 6. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default).
  • 7. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token.
  • 8. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest).
  • 9. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https.
  • 10. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https. No more SQL Injections with ActiveRecord.
  • 11. Rails secure strategy XSS protection: sanitize by default, otherwise html_safe. Mass assignment strategy update (not whitelisted by default). CRSF protection by default with authenticity_token. Secure encryption with bcrypt (password_digest). force_ssl method to ensure https. No more SQL Injections with ActiveRecord. And much more...
  • 12. A lot of commits about security each month on Rails!
  • 13. But how/when measuring the security issues of our Rails
  • 14. Brakeman gem Only compatible with Rails. Inspect the source code and produce a report. Zero configuration required. Can be run at any stage of the development.
  • 15. Brakeman detections - Cross Site scripting - SQL Injection / Commands Injection - Unrestricted Mass assignments - Unsafe redirects - Unsafe file access - Insufficient model validations - ... and so on!
  • 16. Cost to fix defects Picture from RailsConf 2012 http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf
  • 17. $ gem install brakeman $ brakeman (-o report.html)
  • 18.
  • 19.
  • 22. « Zero warnings does not mean zero vulnerabilities » Justin Collins - RailsConf 2012 http://brakemanscanner.org/docs/presentations/ Brakeman-RailsConf2012.pdf

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n