Ruby on Rails security in your Continuous Integration
Transcript of Ruby on Rails security in your Continuous Integration
![Page 1: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/1.jpg)
Confidential & proprietary © Sqreen, 2015
Rails Security Continuous Integration
We make products antifragile.
![Page 2: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/2.jpg)
Confidential & proprietary © Sqreen, 2015
Jean-Baptiste AviatSqreen CTO (https://sqreen.io)
Former Apple software security engineer
Former white hat hacker
Twitter: @JbAviat
Email: [email protected]
![Page 3: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/3.jpg)
Confidential & proprietary © Sqreen, 2015
–Agent Smith
“Never send a human to do a machine's job.”
![Page 4: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/4.jpg)
Confidential & proprietary © Sqreen, 2015
Continuous IntegrationQuality: automate everything you can
Unit tests at every commit
Integration tests at every commit
Test against a production like stack
Maximize confidence for every commit
![Page 5: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/5.jpg)
Confidential & proprietary © Sqreen, 2015
–Edsger W. Dijkstra
“Testing shows the presence, not the absence of bugs.”
![Page 6: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/6.jpg)
Confidential & proprietary © Sqreen, 2015
Static & Dynamic analysis
![Page 7: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/7.jpg)
Confidential & proprietary © Sqreen, 2015
Static analysis - Brakemanhttp://brakemanscanner.org/
Written in Ruby
Dedicated to Ruby on Rails
Open source: https://github.com/presidentbeef/brakeman
Podcast: Ruby Rogues #219
![Page 8: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/8.jpg)
Confidential & proprietary © Sqreen, 2015
Static analysis - Jenkins integrationJenkins plugin:
https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin
Install Gem on test server
Add an adequate test to Jenkins
Done.
![Page 9: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/9.jpg)
Confidential & proprietary © Sqreen, 2015
Dynamic analysis - Arachnihttp://www.arachni-scanner.com/
Written in Ruby
Compatible with any Web application
Open source: https://github.com/Arachni/arachni/
Powerful but complex
![Page 10: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/10.jpg)
Confidential & proprietary © Sqreen, 2015
Dynamic analysis - Jenkins integrationNo Jenkins plugin
Do it yourself JUnit XML (contact me)
Order tests by sensitivity
Set a short timeout
Dynamic tests: the faster server the better
Puma did well
![Page 11: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/11.jpg)
Confidential & proprietary © Sqreen, 2015
Demo
![Page 12: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/12.jpg)
Confidential & proprietary © Sqreen, 2015
Brakeman detects 2 XSS
![Page 13: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/13.jpg)
Confidential & proprietary © Sqreen, 2015
Brakeman detected XSS details
Undetectedissue
Fake issue:@secureis static!
Real XSS
![Page 14: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/14.jpg)
Confidential & proprietary © Sqreen, 2015
Arachne scan result
![Page 15: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/15.jpg)
Confidential & proprietary © Sqreen, 2015
Arachne issue details
![Page 16: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/16.jpg)
Confidential & proprietary © Sqreen, 2015
IssuesFalse positives lower CI confidence
Cannot test against production (dangerous), lead to more false positives
Tools updates depend on maintainers will
Need to iteratively adapt your code
Vulnerabilities debt (legacy)
Security tests are not written by you
Need deep attack knowledge to understand them
![Page 17: Ruby on Rails security in your Continuous Integration](https://reader034.fdocuments.net/reader034/viewer/2022052116/58f182a51a28aba6658b4593/html5/thumbnails/17.jpg)
Confidential & proprietary © Sqreen, 2015
Sqreen: you code, we protectWe automatically protect your apps
Strong and transparent
Beta program available:
Come and see me if you have Rails or Sinatra based applications
Sqreen is hiring : http://sqreen.io/jobs.html