18 Mar 2015 · Software Engineering

    Automatic Security Testing of Rails Applications Using Brakeman

    4 min read
    Contents

    Introduction

    Brakeman is a tool that scans a Ruby on Rails application for common vulnerabilities. It’s a static code analyzer that can help you find security problems before you release the application.

    Since you can introduce a vulnerability at any stage of you development process, it’s obvious that Brakeman should scan your application as often as possible, preferably on every commit. That makes it an ideal candidate for the continuous delivery pipeline. Fortunately, it’s easy to make Brakeman part of your CI.

    In this post we will install Brakeman to your existing Ruby on Rails application and add it as part of continuous integration pipeline.

    Install Brakeman

    Although it’s possible to add brakeman gem to your Gemfile, we find it’s better to install brakeman from scratch every time with gem install brakeman. Brakeman is regularly updated with new security checks so fresh installation ensures you have the latest version every time checks are performed.

    Create a new script script/brakeman in your Rails application repository that will install and run Brakeman:

    #!/bin/bash
    #
    # Script for running Brakeman tests
    # Brakeman is a security scanner https://github.com/presidentbeef/brakeman.
    
    gem install --no-rdoc --no-ri brakeman
    brakeman --exit-on-warn .

    --no-rdoc and --no-ri flags will make the gem installation a bit faster.

    The --exit-on-warn flag tells Brakeman to fail if it finds any vulnerabilities. That’s important when running Brakeman in continuous integration environment since it insures that your build will fail if any issues are found.

    Now make the script executable by running following command from the root of your project:

    chmod +x script/brakeman

    You can now run Brakeman with ./script/brakeman from the root directory of your project. It will run all checks and let you know if there’s anything to be fixed to make your application more secure. Here’s the example output on a small application with one security vulnerability:

    ...
    +-------------------+-------+
    | Scanned/Reported  | Total |
    +-------------------+-------+
    | Controllers       | 2     |
    | Models            | 1     |
    | Templates         | 2     |
    | Errors            | 0     |
    | Security Warnings | 1 (0) |
    +-------------------+-------+
    
    +-----------------+-------+
    | Warning Type    | Total |
    +-----------------+-------+
    | Mass Assignment | 1     |
    +-----------------+-------+
    
    Model Warnings:
    
    +------------+-------+-----------------+----------------------------------------
    | Confidence | Model | Warning Type    | Message
    +------------+-------+-----------------+----------------------------------------
    | Weak       | Post  | Mass Assignment | Potentially dangerous attribute
    |            |       |                 | available for mass assignment: :user_id
    +------------+-------+-----------------+----------------------------------------
    

    Brakeman will show what checks were performed and generate a nicely formatted report.

    To get more information about a particular warning, consult Brakeman warning types list. Here you can find instructions that will help you fix each warning.

    After fixing all problems in your application, add the ./script/brakeman command to your continuous integration build commands to run security scan on every push to the repository.

    Ignore Brakeman warnings

    Since Brakeman is a static code analyzer, it doesn’t check your application semantics. That means that it can be confused by your code and report a vulnerability when there isn’t one. In that case, you can create the configuration file with the list of ignored warnings.

    To ignore a warning, install Brakeman and run it with -I parameter:

    brakeman -I

    That will start a wizard that will guide you through all reported vulnerabilities in your application with options to ignore them. At the end of the wizard, you can set the name of the configuration file. Enter brakeman.ignore and save the file.

    Then, update script/brakeman to use the ignore list:

    #!/bin/bash
    #
    # Script for running Brakeman tests
    # Brakeman is a security scanner https://github.com/presidentbeef/brakeman.
    
    gem install --no-rdoc --no-ri brakeman
    brakeman --ignore-config brakeman.ignore --exit-on-warn .
    

    Commit brakeman.ignore file to the application repository. After you run Brakeman again, ignored warnings won’t be reported again.

    Conclusion

    We recommend that you introduce security checks to your continuous delivery pipeline, and Brakeman is a good choice for Rails applications.

    In this tutorial we presented how to install Brakeman on every build, to get the most recent security checks and how to configure Brakeman to ignore a warning for you application.

    P.S. Would you like to learn how to build sustainable Rails apps and ship more often? We’ve recently published an ebook covering just that — “Rails Testing Handbook”. Learn more and download a free copy.

    Leave a Reply

    Your email address will not be published. Required fields are marked *