Tech Talk on Brakeman
In this talk, Dave looks at how static security analyzers work, and how we used it to find some very tiny (already fixed within a few minutes of finding) possible security weak-points in an application we built for a client.
Static analysis looks at your source code and looks for known vulnerabilities. As opposed to dynamic scanners, or intrusion “detection” scanners that scan a live site from the outside – these are run on the code itself.
In Ruby this is hard because it’s a dynamic language. Because of this, Brakeman (and any static analysis scanners) will identify “false positives” (code that isn’t necessarily a vulnerability) but they’re easy to track down, and safely ignore.
Dave notes, that because of Ruby’s dynamic-ness, if you are doing a lot of method_missing meta-programming, it won’t be able to analyze your code. The practices and places it does identify are easy to see, and you can apply Brakeman’s other recommendations in your meta-programming code, to secure your web application.
Check out the talk on Vimeo: Tech Talk on Brakeman
Image Credit: fishywang on Flickr