by cbq
Tech Talk on Brakeman
Dave's Tech Talk this week is on security on web applications, focusing on Ruby on Rails applications, and using the static analysis security scanner called Brakeman (brakeman on github).
In this talk, Dave looks at how static security analyzers work, and how we used it to find some very tiny (already fixed within a few minutes of finding) possible security weak-points in an application we built for a client.
Static analysis looks at your source code and looks for known vulnerabilities. As opposed to dynamic scanners, or intrusion "detection" scanners that scan a live site from the outside -- these are run on the code itself.
In Ruby this is hard because it's a dynamic language. Because of this, Brakeman (and any static analysis scanners) will identify "false positives" (code that isn't necessarily a vulnerability) but they're easy to track down, and safely ignore.
Dave notes, that because of Ruby's dynamic-ness, if you are doing a lot of method_missing meta-programming, it won't be able to analyze your code. The practices and places it does identify are easy to see, and you can apply Brakeman's other recommendations in your meta-programming code, to secure your web application.
Check out the talk on Vimeo: Tech Talk on Brakeman
Image Credit: fishywang on Flickr