Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

Ruby on Rails security in your Continuous Integration

Ad

Confidential & proprietary © Sqreen, 2015
Rails Security Continuous Integration
We make products antifragile.

Ad

Confidential & proprietary © Sqreen, 2015
Jean-Baptiste Aviat
Sqreen CTO (https://sqreen.io)
Former Apple software security...

Ad

Confidential & proprietary © Sqreen, 2015
–Agent Smith
“Never send a human to
do a machine's job.”

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Chargement dans…3
×

Consultez-les par la suite

1 sur 17 Publicité
1 sur 17 Publicité

Ruby on Rails security in your Continuous Integration

Télécharger pour lire hors ligne

Sqreen (https://www.sqreen.io) describes how open-source public tools can help improve your software security in your Continuous Integration cycle.
This presentation focus on Ruby on Rails and uses open source Ruby gems as well as Jenkins, an open source CI tool.
Two tools are presented. Arachni (https://github.com/Arachni/arachni) is a dynamic security analysis tool. It need some special scripting to get integrated to Jenkins (ask me!).
Brakeman (https://github.com/presidentbeef/brakeman), a static analysis tool, targets Ruby on Rails applications source code. It can be easily integrated to Jenkins thanks to an existing plug-in.
This method can make the reports hard to understand and process systematically in a CI work flow.

Jean-Baptiste Aviat, Sqreen CTO

Sqreen (https://www.sqreen.io) describes how open-source public tools can help improve your software security in your Continuous Integration cycle.
This presentation focus on Ruby on Rails and uses open source Ruby gems as well as Jenkins, an open source CI tool.
Two tools are presented. Arachni (https://github.com/Arachni/arachni) is a dynamic security analysis tool. It need some special scripting to get integrated to Jenkins (ask me!).
Brakeman (https://github.com/presidentbeef/brakeman), a static analysis tool, targets Ruby on Rails applications source code. It can be easily integrated to Jenkins thanks to an existing plug-in.
This method can make the reports hard to understand and process systematically in a CI work flow.

Jean-Baptiste Aviat, Sqreen CTO

Publicité
Publicité

Plus De Contenu Connexe

Diaporamas pour vous (19)

Les utilisateurs ont également aimé (20)

Publicité

Similaire à Ruby on Rails security in your Continuous Integration (20)

Publicité

Ruby on Rails security in your Continuous Integration

  1. 1. Confidential & proprietary © Sqreen, 2015 Rails Security Continuous Integration We make products antifragile.
  2. 2. Confidential & proprietary © Sqreen, 2015 Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Email: jb@sqreen.io
  3. 3. Confidential & proprietary © Sqreen, 2015 –Agent Smith “Never send a human to do a machine's job.”
  4. 4. Confidential & proprietary © Sqreen, 2015 Continuous Integration Quality: automate everything you can Unit tests at every commit Integration tests at every commit Test against a production like stack Maximize confidence for every commit
  5. 5. Confidential & proprietary © Sqreen, 2015 –Edsger W. Dijkstra “Testing shows the presence, not the absence of bugs.”
  6. 6. Confidential & proprietary © Sqreen, 2015 Static & Dynamic analysis
  7. 7. Confidential & proprietary © Sqreen, 2015 Static analysis - Brakeman http://brakemanscanner.org/ Written in Ruby Dedicated to Ruby on Rails Open source: https://github.com/presidentbeef/brakeman Podcast: Ruby Rogues #219
  8. 8. Confidential & proprietary © Sqreen, 2015 Static analysis - Jenkins integration Jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin Install Gem on test server Add an adequate test to Jenkins Done.
  9. 9. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Arachni http://www.arachni-scanner.com/ Written in Ruby Compatible with any Web application Open source: https://github.com/Arachni/arachni/ Powerful but complex
  10. 10. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Jenkins integration No Jenkins plugin Do it yourself JUnit XML (contact me) Order tests by sensitivity Set a short timeout Dynamic tests: the faster server the better Puma did well
  11. 11. Confidential & proprietary © Sqreen, 2015 Demo
  12. 12. Confidential & proprietary © Sqreen, 2015 Brakeman detects 2 XSS
  13. 13. Confidential & proprietary © Sqreen, 2015 Brakeman detected XSS details Undetected issue Fake issue: @secure is static! Real XSS
  14. 14. Confidential & proprietary © Sqreen, 2015 Arachne scan result
  15. 15. Confidential & proprietary © Sqreen, 2015 Arachne issue details
  16. 16. Confidential & proprietary © Sqreen, 2015 Issues False positives lower CI confidence Cannot test against production (dangerous), lead to more false positives Tools updates depend on maintainers will Need to iteratively adapt your code Vulnerabilities debt (legacy) Security tests are not written by you Need deep attack knowledge to understand them
  17. 17. Confidential & proprietary © Sqreen, 2015 Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is hiring : http://sqreen.io/jobs.html

×