ruby on rails security in your continuous integration
TRANSCRIPT
Confidential & proprietary © Sqreen, 2015
Rails Security Continuous Integration
We make products antifragile.
Confidential & proprietary © Sqreen, 2015
Jean-Baptiste AviatSqreen CTO (https://sqreen.io)
Former Apple software security engineer
Former white hat hacker
Twitter: @JbAviat
Email: [email protected]
Confidential & proprietary © Sqreen, 2015
–Agent Smith
“Never send a human to do a machine's job.”
Confidential & proprietary © Sqreen, 2015
Continuous IntegrationQuality: automate everything you can
Unit tests at every commit
Integration tests at every commit
Test against a production like stack
Maximize confidence for every commit
Confidential & proprietary © Sqreen, 2015
–Edsger W. Dijkstra
“Testing shows the presence, not the absence of bugs.”
Confidential & proprietary © Sqreen, 2015
Static & Dynamic analysis
Confidential & proprietary © Sqreen, 2015
Static analysis - Brakemanhttp://brakemanscanner.org/
Written in Ruby
Dedicated to Ruby on Rails
Open source: https://github.com/presidentbeef/brakeman
Podcast: Ruby Rogues #219
Confidential & proprietary © Sqreen, 2015
Static analysis - Jenkins integrationJenkins plugin:
https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin
Install Gem on test server
Add an adequate test to Jenkins
Done.
Confidential & proprietary © Sqreen, 2015
Dynamic analysis - Arachnihttp://www.arachni-scanner.com/
Written in Ruby
Compatible with any Web application
Open source: https://github.com/Arachni/arachni/
Powerful but complex
Confidential & proprietary © Sqreen, 2015
Dynamic analysis - Jenkins integrationNo Jenkins plugin
Do it yourself JUnit XML (contact me)
Order tests by sensitivity
Set a short timeout
Dynamic tests: the faster server the better
Puma did well
Confidential & proprietary © Sqreen, 2015
Demo
Confidential & proprietary © Sqreen, 2015
Brakeman detects 2 XSS
Confidential & proprietary © Sqreen, 2015
Brakeman detected XSS details
Undetectedissue
Fake issue:@secureis static!
Real XSS
Confidential & proprietary © Sqreen, 2015
Arachne scan result
Confidential & proprietary © Sqreen, 2015
Arachne issue details
Confidential & proprietary © Sqreen, 2015
IssuesFalse positives lower CI confidence
Cannot test against production (dangerous), lead to more false positives
Tools updates depend on maintainers will
Need to iteratively adapt your code
Vulnerabilities debt (legacy)
Security tests are not written by you
Need deep attack knowledge to understand them
Confidential & proprietary © Sqreen, 2015
Sqreen: you code, we protectWe automatically protect your apps
Strong and transparent
Beta program available:
Come and see me if you have Rails or Sinatra based applications
Sqreen is hiring : http://sqreen.io/jobs.html