Testing Security with Brakeman

Security in web applications is not something developers discuss often enough – some think of it as a taboo subject, or something the NOC guys have to deal with. Some treat security as a post deployment afterthought. Sometimes little thought is given after an attack has already occurred. Some web developers ignore security all together.

This attitude is unfortunate and unprofessional, because many of the common attack points are within control of the developer. Developers usually don’t know about them, but ignorance won’t help recreate that maliciously dropped database table.

As developers we need to be conscious of security at every point in development.

Ruby on Rails has security built in, as documented here, but we still need to use those best practices while developing our application.

What’s the best way to check if we’re doing something wrong in our application? test it! However, there’s a problem: writing tests for even a small sample of every known security vulnerability would be a nightmare. Even ‘black-box’ testing frameworks can take hours to run against a web app. If only there were a Rails specific security testing framework that looked at your code to see if you are following security best practices…

Enter Brakeman.

Brakeman is a gem that looks into your application and attempts to find potential security issues. Keep in mind that nothing can ever find every security issue. Brakeman is just another tool to help during development.

Installation is simple: Add gem "brakeman" to your gemfile

And run it with:

brakeman

Brakeman will generate a report of possible security issues it has found, including the line number and a snippet of the offending code. The formatting, and what tests are run, can be changed by passing in options to brakeman.

To automate Brakeman add the following to your rakefile:

 

Or, if you’re using guard, use the guard-brakeman gem:

 

Now every time you run your test suite, or change a file, Brakeman will audit your application. It really is that simple, integrating Brakeman into your development habits is an easy step towards securing your application and your customer.

For more information see Brakeman’s homepage here.

Stay safe out there space-cowboy!


Category: Development
Tags: Tutorial