Web security can be very confusing and frustrating at times. A lot of companies don’t pay enough attention to it until something bad happens and users’ data and safety are compromised.
Ruby developers have a wealth of tools for efficient prototyping, testing, and continuous integration that are well known and widely accepted in the community. But what about security? An average Ruby developer would probably mention Brakeman and Gemnasium but only a handful of teams looked into more options and even less adopted other solutions.
In this article I will cover open source security libraries, web services, and reads that any developer should consider before implementing their next Ruby app.
First, I will go over some useful security libraries that are not abandoned and are mature enough to be used in production environments.
bundler-audit is the most basic vulnerability scanner that uses ruby-advisory-db and checks for issues in your gemfile. Running a security test is as simple as
bundle-audit inside your project directory.
The downside of this gem is that it depends on the database that’s maintained by other developers, so there is a natural lag between security advisories and pull requests for the database.
Brakeman Scanner is the staple of every Rails security audit that includes static code analysis. This library evolved a lot in the past four years and now supports many different security notifications. Brakeman can be ran as a command line app as well as a Ruby library inside your project.
One major downside of Brakeman is that it can generate a lot of false positives but it’s mostly due to the nature of static code analysis rather than the library itself.
Codesake::Dawn is yet another security scanner for Ruby apps. It supports Rails, Sinatra, and Padrino frameworks. It has its own knowledge base with CVE vulnerabilities for gems as well as a static analyzer for code.
Codesake::Dawn is not as actively developed as Brakeman making it the second best choice when it comes to static code analysis. It’s good to use it as a sidekick to make sure Brakeman didn’t miss something.
Rack::Attack is a rack middleware that protects your web app from potentially malicious clients. It allows whitelisting, blacklisting, throttling, and tracking based on arbitrary properties of the request. It’s extremely useful in setting up basic defense against DDoS attacks and limiting adversary’s bruteforce options when they target form inputs on sign up and other critical pages.
Tarantula is a website crawler that tests your running Rails apps for bad input validation that results in XSS and SQL injections. This gem requires some tinkering but once setup it’s a great way to automate basic black box testing of your app.
Hakiri Toolbelt is an gem extension to Hakiri but it has some useful standalone features. On top of scanning gemfiles like bundler-audit it can also check server stack technologies for vulnerabilities (like Ruby, Postgres, Unicorn, Apache, and a few others). Running a scan is as simple as
hakiri system:scan or
hakiri gemfile:scan. During the scanning process your local technology versions are checked against an automatically updated remote database.
The downside of this gem is that it only runs in the command line and using it as a library is impossible until the next major release is out.
Of course, open source security tools are very nice but what if you don’t want to deal with setting up a brand new flow in your development routine just yet and would rather focus on creating your product rather than performing version checks and static code analysis scans? You could “outsource” some of your security monitoring to a third party service, much like thousands of teams let other services deal with setting up continuous integration, checking test coverage, automating code reviews, and other routine development tools. There are several services that emerged to close this gap. I want to point out that these services deal with a limited but important range of security issues, namely version checking of your gems and server stack technologies as well as static code analysis for common security issues like authorization, XSS, and SQL injections.
Gemcanary is a security web service for Ruby projects that monitors your public and private projects against CVE and OSVDB vulnerabilities from Ruby Security Database. If a new vulnerability is detected in one of your gems Gemcanary sends you a notification email. It’s free for public and private projects.
Gemnasium keeps tabs on gem versions in your Ruby projects and notifies you when the new ones are released. It also sends alerts about new security advisories via email. Gemnasium is free for public projects.
Hakiri focuses on web security for public and private Ruby projects. It monitors Ruby gems, code, and server stack technologies for 32 different security metrics and sends you an email or a Slack message on each code push or when a new security advisory is out. Hakiri is free for public projects.
PullReview is a handy service for Ruby developers that encourages you to fix problems in the code before merging pull requests. PullReview runs various tests on your code and then generates suggestions on how to eliminate duplication and complexity, get rid of code smells, and improve security. The latter uses Brakeman in the background. PullReview is free for public projects.
On top of writing about security gems and services I wanted to share links to some important reads for Ruby engineers that cover some basic and more advanced security concepts with concrete examples.
This Rails cheatsheet from OWASP provides some basic tips for Rails developers covering command injection, SQL injection, XSS, sessions, authentication, and several other most common attack vectors.
The official Rails security guide is a comprehensive read from the creators of Rails. It covers several attack vectors with appropriate defenses.
This security guide from Honeybadger goes over the same concepts as the previous two articles but it presents them from slightly different and more fun angles.
This is a very important read from Patrick McKenzie that is relevant for any developer. It was written in January 31, 2013 after several devastating Rails vulnerabilities went public. Patrick explains why security is so important in every single project by presenting several real life scenarios in which adversaries exploit Rails vulnerabilities.
I hope this comprehensive breakdown of security tools and resources for Ruby projects will serve you well. If you think that some good tool is missing from this list please let me know and I will gladly add it.