Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011.

Published byErick Cobb Modified over 9 years ago

Similar presentations

Presentation on theme: "Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011."— Presentation transcript:

1 Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011

2 About Us Justin Collins - @presidentbeef Tin Zaw - @tzaw

3 McGraw’s Touch Point #1 Code Review (Tools)

4 Use tools to detect and report security defects in code early in the development cycle with minimal impact to development workflow Our Philosophy: Light Touch

5 Static vs. Dynamic Analysis Penetration Testing Pros – Replicates real life deployment – Entire application stack, configuration Penetration Testing Cons – Reports symptoms, not root causes – Setup time, find defects late during QA cycle – Incomplete view of running app

6 Static vs. Dynamic Analysis Static Code Analysis Pros – Early detection of defects – Integrated into developer’s workflow – No deployment required Static Code Analysis Cons – Limited to code – Need access to source code

7 Defect Cost Curve

8 Application Security Testing

9 Defect Cost Curve Brakeman + Jenkins Brakeman + Jenkins

10 Existing Static Analysis Tools for Security Defects C/C++ C#/.Net Java Ruby ? Ruby on Rails

11 Web application framework using the Ruby language Built on the model-view-controller design pattern “Convention over configuration” – encourages assumptions which lead to default behavior http://rubyonrails.org/

12 Manual Workflow Get Latest Code Run Tool Examine Results

13 Manual Workflow Get Latest Code Run Tool Examine Results Repeat

14 Automated Workflow Let tools alert you when there is a problem

15 Brakeman http://brakemanscanner.org

16 Using Brakeman gem install brakeman cd your/rails/app brakeman

17 Brakeman Application Flow Parse App Code Clean up & Organize Clean up & Organize Inspect Results Inspect Results Generate Report Generate Report

18 Vulnerabilities Brakeman Detects Cross site scripting SQL injection Command injection Unprotected redirects Unsafe file access Default routes Insufficient model validation Version-specific security issues Unrestricted mass assignment Dangerous use of eval() …and more!

19 Example: Cross Site Scripting (Rails 2.x) Results for

20 Example: Cross Site Scripting (Rails 3.x) Results for

21 Example: Cross Site Scripting (Rails 3.x) Results for Unescaped parameter value near line 1: params[:query]

22 Example: SQL Injection username = params[:user][:name] User.find(:all, :conditions => "name like '%#{username}%'")

23 Example: SQL Injection username = params[:user][:name] User.find(:all, :conditions => "name like '%#{username}%'") Possible SQL injection near line 87: User.find(:all, :conditions => ("name like '%#{params[:user][:name]}%'") Possible SQL injection near line 87: User.find(:all, :conditions => ("name like '%#{params[:user][:name]}%'")

24 Extended Example - Filters class ApplicationController < ActionController::Base def set_user @user = User.find(params[:user_id]) end Method in application controller sets the @user variable

25 Extended Example - Filters class UserController < ApplicationController before_filter :set_user def show end User controller calls set_user before any action

26 Extended Example - Filters View outputs the result of a method call on the @user variable

27 Extended Example - Filters UserController ApplicationController UserController user/show.erb.html Data flow followed from filter through to the view

28 Extended Example - Filters Unescaped model attribute near line 5: User.find(params[:id]).bio

29 Example: Mass Assignment class User < ActiveRecord::Base end User model generated by Rails

30 Example: Mass Assignment Excerpt of Users controller generated by Rails class UsersController < ApplicationController #... def new @user = User.new(params[:user]) #... end

31 Example: Mass Assignment class UsersController < ApplicationController #... def new @user = User.new(params[:user]) #... end Unprotected mass assignment near line 43: User.new(params[:user])

32 Open source continuous integration server http://jenkins-ci.org

33 How Jenkins Works Monitor Conditions Run Jobs Aggregate Results

34 How Jenkins Works Monitor Conditions Run Jobs git push svn commit git push svn commit brakeman Security Warnings Aggregate Results

35 Brakeman Plugin for Jenkins Run Brakeman Collect Warnings Collect Warnings Generate Reports Generate Reports

36 Some Results

37 Resources Ruby – http://ruby-lang.org Ruby on Rails – http://rubyonrails.org Ruby on Rails Security Guide – http://guides.rubyonrails.org/security.html Brakeman – http://brakemanscanner.org Jenkins – http://jenkins-ci.org Brakeman plugin for Jenkins – http://github.com/presidentbeef/brakeman-jenkins-plugin

Download ppt "Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code Justin Collins Tin Zaw AppSec USA September 23, 2011."

Similar presentations

Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.

Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.
Taxi Magic Mobile App Testing. iOS Testing Rapid Releases: Submit about every 30 days to iTunes CI Automated Tests: Polls git repository commits and executes.

Taxi Magic Mobile App Testing. iOS Testing Rapid Releases: Submit about every 30 days to iTunes CI Automated Tests: Polls git repository commits and executes.
Jenkins User Conference Jenkins User Conference Israel, 06 June 2013 #jenkinsconf Pre-Tested Commits with Jenkins and Reviewboard Yardena Meymann VMware.

Jenkins User Conference Jenkins User Conference Israel, 06 June 2013 #jenkinsconf Pre-Tested Commits with Jenkins and Reviewboard Yardena Meymann VMware.
© 2010 Wipro Ltd - Confidential SGSN Automation Testing Using TTCN3 Authors: Jyothi Gavara Nikhil Rahul Ekka.

© 2010 Wipro Ltd - Confidential SGSN Automation Testing Using TTCN3 Authors: Jyothi Gavara Nikhil Rahul Ekka.
Automating with Open Source Testing Tools Corey McGarrahan rSmart 01-July-08.

Automating with Open Source Testing Tools Corey McGarrahan rSmart 01-July-08.
By SAG - 11. Objectives Cross platform QA Automation for web applications Scheduling the automation Automatically build the test scripts Generate the.

By SAG Objectives Cross platform QA Automation for web applications Scheduling the automation Automatically build the test scripts Generate the.
Creating Web Services with Ruby on Rails Robert Thew Internet and Web Systems II.

Creating Web Services with Ruby on Rails Robert Thew Internet and Web Systems II.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Static code check – Klocwork

Static code check – Klocwork
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Creating Web Services with Ruby on Rails Robert Thew Internet and Web Systems II.

Creating Web Services with Ruby on Rails Robert Thew Internet and Web Systems II.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
27-Jun-15 Rails. What is Rails? Rails is a framework for building web applications This involves: Getting information from the user (client), using HTML.

27-Jun-15 Rails. What is Rails? Rails is a framework for building web applications This involves: Getting information from the user (client), using HTML.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
BizTalk Deployment using Visual Studio Release Management

BizTalk Deployment using Visual Studio Release Management
Improving Software Quality with Continuous Integration

Improving Software Quality with Continuous Integration
Project Implementation for COSC 5050 Distributed Database Applications Lab1.

Project Implementation for COSC 5050 Distributed Database Applications Lab1.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION

DNN LOVES JENKINS FOR CONTINUOUS INTEGRATION

Similar presentations

Ads by Google