The document discusses the integration of static analysis security tools, specifically Brakeman, within the DevSecOps framework to enhance code security during development. It emphasizes the need for developers to take responsibility for secure coding practices and provides insights on the automation of security tools for early feedback. Various strategies for incorporating security measures into the development workflow are outlined, highlighting the benefits of source code analysis for continuous integration and deployment processes.

4. Me
@MakotoTheCat

5. @presidentbeef
Obligatory “About Me”
6 years of application security
(AT&T Interactive, Twitter, SurveyMonkey)
6 years working on Brakeman OSS
(Static analysis security tool for Rails)
2.5 years working on
(More pro static analysis security tool for Rails)

6. @presidentbeef
The Ratio of Doom
100 : 10 : 1
Dev Ops Sec
Shannon Lietz
http://www.slideshare.net/SeniorStoryteller/the-journey-to-devsecops

7. @presidentbeef
The Ratio of Doom
100 developers - experts on their slice of the code
1 security person - responsible for ALL code + systems

8. @presidentbeef
Not Sustainable nor Scalable

10. @presidentbeef
DevOps
Developers as responsible for stable code as ops team is
DevSecOps
Developers as responsible for secure code as security team is

11. @presidentbeef
Security Team’s Role
Expertise
Guidance
Training
Tools

12. @presidentbeef
Security Tools in DevOps Land
Automation friendly
Fast
Consistent
Provide early feedback for developers

14. @presidentbeef
Static Analysis

15. @presidentbeef
Static Source Code Analysis

17. @presidentbeef
Automation Friendly
Input: Source Code
Output: Report

18. @presidentbeef

19. @presidentbeef

20. @presidentbeef
Fast
(Especially in comparison to “web scanners”)

21. @presidentbeef
Project Controllers Models Templates Scan Time
Diaspora 48 54 44 5s
Discourse 78 162 57 15s
Redmine 50 86 342 24s
GitlabHQ 150 123 707 61s
Canvas LMS 176 384 455 161s
Brakeman Scan Times
Brakeman 3.4.1, Ruby 2.3.1p112

22. @presidentbeef
Consistent
(Especially in comparison to “web scanners”)

23. @presidentbeef
Consistent
Baseline scan -> Incremental results

24. @presidentbeef
brakeman --compare report.json

25. @presidentbeef
Early Feedback (for Developers)
“Amplify feedback loops”

26. @presidentbeef
“Shift Left”
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security?

27. @presidentbeef
“Shift Left”
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!

28. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
Kind of Late
but Possible

29. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
Deployment
Gate

30. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
QA?
Why not?

31. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
Manual Scans

32. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
New Warnings
Fail Build

33. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
Commit Hooks

34. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
Run in Tests

35. @presidentbeef
Source Code Analysis
Write
Code
Unit
Tests
Commit
Code
Push to
CI
Code
Review
QA
Tests
Deploy!Plan /
Reqs
In
Production
Security!
Run in IDE /
On Save

36. @presidentbeef
Early Feedback
Few dependencies makes integration easy
Fast tools can be “in line” with workflow
Incremental results relevant to changes

37. @presidentbeef
Automation Strategies

38. @presidentbeef
Continuous Integration
https://jenkins.io/blog/2016/08/10/rails-cd-with-pipeline/
Brakeman plugin

39. @presidentbeef
Code Review
Brakeman engine

40. @presidentbeef
Deployment Gate

41. @presidentbeef
Tweetable Incremental Scan

42. @presidentbeef
Separate Process

43. @presidentbeef
Local Tests/Git Hook
guard-brakeman

44. @presidentbeef
require "brakeman/test/minitest"
class TestBrakemanWarnings < Minitest::Test
def test_no_brakeman_warnings
assert_no_brakeman_warnings
end
end
(Brakeman Pro only)

45. @presidentbeef
Types of Static Analysis Tools
Security - Vulnerabilities
Composition - Old/vulnerable dependencies
Quality - Complexity
Style

46. @presidentbeef
Finding Tools

47. @presidentbeef
Building Tools

48. @presidentbeef
In Conclusion
Source code analysis fits well with DevOps
Enables security review inside workflow
Provides feedback early in development
Multiple options for integration points

49. @presidentbeef
Thank You
@presidentbeef / presidentbeef.com