Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Ruby on Rails security in your Continuous Integration

2 272 vues

Publié le

Sqreen (https://www.sqreen.io) describes how open-source public tools can help improve your software security in your Continuous Integration cycle.
This presentation focus on Ruby on Rails and uses open source Ruby gems as well as Jenkins, an open source CI tool.
Two tools are presented. Arachni (https://github.com/Arachni/arachni) is a dynamic security analysis tool. It need some special scripting to get integrated to Jenkins (ask me!).
Brakeman (https://github.com/presidentbeef/brakeman), a static analysis tool, targets Ruby on Rails applications source code. It can be easily integrated to Jenkins thanks to an existing plug-in.
This method can make the reports hard to understand and process systematically in a CI work flow.

Jean-Baptiste Aviat, Sqreen CTO

Publié dans : Logiciels
  • Soyez le premier à commenter

Ruby on Rails security in your Continuous Integration

  1. 1. Confidential & proprietary © Sqreen, 2015 Rails Security Continuous Integration We make products antifragile.
  2. 2. Confidential & proprietary © Sqreen, 2015 Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Email: jb@sqreen.io
  3. 3. Confidential & proprietary © Sqreen, 2015 –Agent Smith “Never send a human to do a machine's job.”
  4. 4. Confidential & proprietary © Sqreen, 2015 Continuous Integration Quality: automate everything you can Unit tests at every commit Integration tests at every commit Test against a production like stack Maximize confidence for every commit
  5. 5. Confidential & proprietary © Sqreen, 2015 –Edsger W. Dijkstra “Testing shows the presence, not the absence of bugs.”
  6. 6. Confidential & proprietary © Sqreen, 2015 Static & Dynamic analysis
  7. 7. Confidential & proprietary © Sqreen, 2015 Static analysis - Brakeman http://brakemanscanner.org/ Written in Ruby Dedicated to Ruby on Rails Open source: https://github.com/presidentbeef/brakeman Podcast: Ruby Rogues #219
  8. 8. Confidential & proprietary © Sqreen, 2015 Static analysis - Jenkins integration Jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin Install Gem on test server Add an adequate test to Jenkins Done.
  9. 9. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Arachni http://www.arachni-scanner.com/ Written in Ruby Compatible with any Web application Open source: https://github.com/Arachni/arachni/ Powerful but complex
  10. 10. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Jenkins integration No Jenkins plugin Do it yourself JUnit XML (contact me) Order tests by sensitivity Set a short timeout Dynamic tests: the faster server the better Puma did well
  11. 11. Confidential & proprietary © Sqreen, 2015 Demo
  12. 12. Confidential & proprietary © Sqreen, 2015 Brakeman detects 2 XSS
  13. 13. Confidential & proprietary © Sqreen, 2015 Brakeman detected XSS details Undetected issue Fake issue: @secure is static! Real XSS
  14. 14. Confidential & proprietary © Sqreen, 2015 Arachne scan result
  15. 15. Confidential & proprietary © Sqreen, 2015 Arachne issue details
  16. 16. Confidential & proprietary © Sqreen, 2015 Issues False positives lower CI confidence Cannot test against production (dangerous), lead to more false positives Tools updates depend on maintainers will Need to iteratively adapt your code Vulnerabilities debt (legacy) Security tests are not written by you Need deep attack knowledge to understand them
  17. 17. Confidential & proprietary © Sqreen, 2015 Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is hiring : http://sqreen.io/jobs.html

×