Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code
description
Transcript of Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code
![Page 1: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/1.jpg)
Brakeman and Jenkins: The Duo Detects Defects in
Ruby on Rails Code
Justin CollinsTin Zaw
AppSec USASeptember 23, 2011
![Page 2: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/2.jpg)
About Us
Justin Collins - @presidentbeef
Tin Zaw - @tzaw
![Page 3: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/3.jpg)
McGraw’s Touch Point #1 Code Review (Tools)
![Page 4: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/4.jpg)
Use tools to detect and report security defects in code
early in the development cyclewith minimal impact
to development workflow
Our Philosophy:Light Touch
![Page 5: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/5.jpg)
Static vs. Dynamic Analysis• Penetration Testing Pros– Replicates real life deployment– Entire application stack, configuration
• Penetration Testing Cons– Reports symptoms, not root causes– Setup time, find defects late during QA
cycle– Incomplete view of running app
![Page 6: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/6.jpg)
Static vs. Dynamic Analysis• Static Code Analysis Pros– Early detection of defects– Integrated into developer’s workflow – No deployment required
• Static Code Analysis Cons– Limited to code– Need access to source code
![Page 7: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/7.jpg)
Defect Cost Curve
![Page 8: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/8.jpg)
Defect Cost CurveApplication Security Testing
![Page 9: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/9.jpg)
Defect Cost Curve
Brakeman +
Jenkins
![Page 10: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/10.jpg)
Existing Static AnalysisTools for Security Defects
C/C++ <many>
C#/.Net <many>
Java <many>
Ruby ?
Ruby on Rails
![Page 11: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/11.jpg)
Ruby on Rails
Web application framework using the Ruby language
Built on the model-view-controller design pattern
“Convention over configuration” – encourages assumptions which lead to
default behavior
http://rubyonrails.org/
![Page 12: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/12.jpg)
Manual Workflow
Get Latest Code Run Tool Examine
Results
![Page 13: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/13.jpg)
Manual Workflow
Get Latest Code Run Tool Examine
Results
Repeat
![Page 14: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/14.jpg)
Automated WorkflowLet tools alert you
when there is a problem
![Page 16: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/16.jpg)
Using Brakeman
gem install brakeman
cd your/rails/appbrakeman
![Page 17: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/17.jpg)
Brakeman Application Flow
Parse App Code
Clean up &
OrganizeInspectResults
GenerateReport
![Page 18: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/18.jpg)
Vulnerabilities Brakeman DetectsCross site scriptingSQL injection
Command injectionUnprotected redirects
Unsafe file accessDefault routes
Insufficient model validationVersion-specific security issuesUnrestricted mass assignment
Dangerous use of eval()…and more!
![Page 19: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/19.jpg)
Example: Cross Site Scripting(Rails 2.x)
<b>Results for <%= params[:query] %></b>
![Page 20: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/20.jpg)
Example: Cross Site Scripting(Rails 3.x)
<b>Results for <%= raw params[:query] %></b>
![Page 21: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/21.jpg)
Example: Cross Site Scripting(Rails 3.x)
<b>Results for <%= raw params[:query] %></b>
Unescaped parameter value near line 1: params[:query]
![Page 22: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/22.jpg)
Example: SQL Injectionusername = params[:user][:name]
User.find(:all, :conditions => "name like '%#{username}%'")
![Page 23: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/23.jpg)
Example: SQL Injectionusername = params[:user][:name]
User.find(:all, :conditions => "name like '%#{username}%'")
Possible SQL injection near line 87:User.find(:all, :conditions => ("name like '%#{params[:user][:name]}%'")
![Page 24: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/24.jpg)
Extended Example - Filtersclass ApplicationController < ActionController::Base
def set_user @user = User.find(params[:user_id]) end
end
Method in application controller sets the @user
variable
![Page 25: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/25.jpg)
Extended Example - Filtersclass UserController < ApplicationController before_filter :set_user def show end
end
User controller calls set_user before any action
![Page 26: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/26.jpg)
Extended Example - Filters
<%= raw @user.bio %>
View outputs the result of a method call on the @user
variable
![Page 27: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/27.jpg)
Extended Example - Filters
UserController
ApplicationController
UserController
user/show.erb.html
Data flow followed from filter through to the view
![Page 28: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/28.jpg)
Extended Example - Filters
<%= raw @user.bio %>
Unescaped model attribute near line 5: User.find(params[:id]).bio
![Page 29: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/29.jpg)
Example: Mass Assignment
class User < ActiveRecord::Baseend
User model generated by Rails
![Page 30: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/30.jpg)
Example: Mass Assignment
Excerpt of Users controller generated by Rails
class UsersController < ApplicationController #... def new @user = User.new(params[:user]) #... endend
![Page 31: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/31.jpg)
Example: Mass Assignmentclass UsersController < ApplicationController #... def new @user = User.new(params[:user]) #... endend
Unprotected mass assignment near line 43: User.new(params[:user])
![Page 32: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/32.jpg)
Open source continuous integration server
http://jenkins-ci.org
![Page 33: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/33.jpg)
How Jenkins Works
Monitor Condition
sRun Jobs Aggregat
e Results
![Page 34: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/34.jpg)
How Jenkins Works
Monitor Condition
sRun Jobs
git pushsvn
commitbrakeman Security
Warnings
Aggregate Results
![Page 35: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/35.jpg)
Brakeman Plugin for Jenkins
Run Brakema
nCollect
WarningsGenerateReports
![Page 36: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/36.jpg)
Some Results
![Page 37: Brakeman and Jenkins: The Duo Detects Defects in Ruby on Rails Code](https://reader036.fdocuments.in/reader036/viewer/2022062305/568162c0550346895dd351a4/html5/thumbnails/37.jpg)
Resources• Ruby
– http://ruby-lang.org• Ruby on Rails
– http://rubyonrails.org• Ruby on Rails Security Guide
– http://guides.rubyonrails.org/security.html• Brakeman
– http://brakemanscanner.org• Jenkins
– http://jenkins-ci.org• Brakeman plugin for Jenkins
– http://github.com/presidentbeef/brakeman-jenkins-plugin