Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
The Brakeman gem lives as a command-line tool on our computer, so we don't need to add it to our application via the gemfile.
$ gem install brakeman
When run from the root directory of a Rails application, it will scan through our code and look for any known security problems.
$ brakeman
It will print out a list of all the different checks its performing, a summary of what its results, and then a table of the actual security issues that it uncovered.
Let's take a look at what Brakeman says about a few projects.
[live walk-through]
Like all static analysis tools, Brakeman will give us the occasional false positive. Most of the apps we've built so far, being brand new and not amazingly complex, should have few (if any) security issues.
Remember:
New vulnerabilities are always being found, so application security is part of the ongoing maintenance costs of any piece of software. Here's some ways to minimize the costs.
- Subscribe to the Ruby on Rails Security Mailing List
- Stay current with Rails patches - updates come out every so often to fix bugs and security holes, and usually upgrading is well-documented and easy.
- Keep Brakeman updated and run it frequently