SlideShare a Scribd company logo

Ruby on Rails security in your Continuous Integration

Sqreen, profile picture
Sqreen

The document discusses the importance of automated testing in continuous integration for enhancing Rails application security. It highlights the use of static analysis tools like Brakeman and dynamic analysis tools like Arachni, including their integration with Jenkins. Additionally, it addresses challenges such as false positives in security testing and promotes Sqreen's services for app protection.

Software
Related topics:
Ruby on Rails OverviewContinuous IntegrationSoftware Testing Insights
1 of 17
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Confidential & proprietary © Sqreen, 2015 Rails Security Continuous Integration We make products antifragile.
Confidential & proprietary © Sqreen, 2015 Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Email: jb@sqreen.io
Confidential & proprietary © Sqreen, 2015 –Agent Smith “Never send a human to do a machine's job.”
Confidential & proprietary © Sqreen, 2015 Continuous Integration Quality: automate everything you can Unit tests at every commit Integration tests at every commit Test against a production like stack Maximize confidence for every commit
Confidential & proprietary © Sqreen, 2015 –Edsger W. Dijkstra “Testing shows the presence, not the absence of bugs.”
Confidential & proprietary © Sqreen, 2015 Static & Dynamic analysis
Confidential & proprietary © Sqreen, 2015 Static analysis - Brakeman http://brakemanscanner.org/ Written in Ruby Dedicated to Ruby on Rails Open source: https://github.com/presidentbeef/brakeman Podcast: Ruby Rogues #219
Confidential & proprietary © Sqreen, 2015 Static analysis - Jenkins integration Jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin Install Gem on test server Add an adequate test to Jenkins Done.
Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Arachni http://www.arachni-scanner.com/ Written in Ruby Compatible with any Web application Open source: https://github.com/Arachni/arachni/ Powerful but complex
Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Jenkins integration No Jenkins plugin Do it yourself JUnit XML (contact me) Order tests by sensitivity Set a short timeout Dynamic tests: the faster server the better Puma did well
Confidential & proprietary © Sqreen, 2015 Demo
Confidential & proprietary © Sqreen, 2015 Brakeman detects 2 XSS
Confidential & proprietary © Sqreen, 2015 Brakeman detected XSS details Undetected issue Fake issue: @secure is static! Real XSS
Confidential & proprietary © Sqreen, 2015 Arachne scan result
Confidential & proprietary © Sqreen, 2015 Arachne issue details
Confidential & proprietary © Sqreen, 2015 Issues False positives lower CI confidence Cannot test against production (dangerous), lead to more false positives Tools updates depend on maintainers will Need to iteratively adapt your code Vulnerabilities debt (legacy) Security tests are not written by you Need deep attack knowledge to understand them
Confidential & proprietary © Sqreen, 2015 Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is hiring : http://sqreen.io/jobs.html

More Related Content

PDF
Instrument Rack to visualize
 Rails requests processing
Sqreen
 
PDF
Tune your App Perf (and get fit for summer)
Sqreen
 
PDF
Application Security from the Inside - OWASP
Sqreen
 
PDF
Serverless security - how to protect what you don't see?
Sqreen
 
PDF
Securing Serverless - By Breaking In
Guy Podjarny
 
PPTX
Signal r core workshop - netconf
Miguel Angel Teheran Garcia
 
PPTX
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
PDF
Application Security in a Container World - Akash Mahajan - BCC 2017
CodeOps Technologies LLP
 
Instrument Rack to visualize
 Rails requests processing
Sqreen
 
Tune your App Perf (and get fit for summer)
Sqreen
 
Application Security from the Inside - OWASP
Sqreen
 
Serverless security - how to protect what you don't see?
Sqreen
 
Securing Serverless - By Breaking In
Guy Podjarny
 
Signal r core workshop - netconf
Miguel Angel Teheran Garcia
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
Lacework
 
Application Security in a Container World - Akash Mahajan - BCC 2017
CodeOps Technologies LLP
 

What's hot (19)

PDF
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
PPTX
Lacework | Top 10 Cloud Security Threats
Lacework
 
PDF
Mitigate Security Threats with SIEM
Akamai Developers & Admins
 
PPTX
Self Service for IT Infrastructure
Cisco DevNet
 
PDF
Security in OSS DevOps
Cheah Eng Soon
 
PDF
Better Bug Stomping with Zend Studio and Zend Server
Zend by Rogue Wave Software
 
PDF
Enforce compliance policy with model-driven automation
Puppet
 
PPT
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
PDF
Set up a Development Environment in 5 Minutes
Akamai Developers & Admins
 
PDF
All Your Containers Are Belong To Us
Lacework
 
PDF
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Nils Meder
 
PDF
Manage Your Akamai-as-Code with Terraform
Akamai Developers & Admins
 
PDF
Deployment Automation & Self-Healing with Dynatrace & Ansible
Jürgen Etzlstorfer
 
PDF
Infrastructure as Code
Prasant Kumar
 
PDF
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework
 
PPTX
Automated Intrusion Detection and Response on AWS
2nd Sight Lab
 
PPTX
.NET Security (Radu Vunvulea)
Radu Vunvulea
 
PDF
Ignite Denver - Robots!
360|Conferences
 
PPTX
Programming for the Internet of Things
Kinoma
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
Lacework
 
Lacework | Top 10 Cloud Security Threats
Lacework
 
Mitigate Security Threats with SIEM
Akamai Developers & Admins
 
Self Service for IT Infrastructure
Cisco DevNet
 
Security in OSS DevOps
Cheah Eng Soon
 
Better Bug Stomping with Zend Studio and Zend Server
Zend by Rogue Wave Software
 
Enforce compliance policy with model-driven automation
Puppet
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
Set up a Development Environment in 5 Minutes
Akamai Developers & Admins
 
All Your Containers Are Belong To Us
Lacework
 
Principles Of Chaos Engineering - Chaos Engineering Hamburg
Nils Meder
 
Manage Your Akamai-as-Code with Terraform
Akamai Developers & Admins
 
Deployment Automation & Self-Healing with Dynatrace & Ansible
Jürgen Etzlstorfer
 
Infrastructure as Code
Prasant Kumar
 
BSides Denver 2019 - Cloud Wars Episode V: The Cryptojacker Strikes Back
Lacework
 
Automated Intrusion Detection and Response on AWS
2nd Sight Lab
 
.NET Security (Radu Vunvulea)
Radu Vunvulea
 
Ignite Denver - Robots!
360|Conferences
 
Programming for the Internet of Things
Kinoma
 
Ad

Viewers also liked (20)

PPTX
How to-use-buffer-by-ella
Eleaza Rose Devilleres
 
PDF
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
We Are Social Singapore
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PDF
SteadyBudget's Seed Funding Pitch Deck
Shape Integrated Software
 
PDF
7 Tips to Beautiful PowerPoint by @itseugenec
Eugene Cheng
 
PDF
The Minimum Loveable Product
The Happy Startup School
 
PDF
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
Board of Innovation
 
PDF
The Seven Deadly Social Media Sins
XPLAIN
 
PDF
Five Killer Ways to Design The Same Slide
Crispy Presentations
 
PPTX
How People Really Hold and Touch (their Phones)
Steven Hoober
 
PDF
Upworthy: 10 Ways To Win The Internets
Upworthy
 
PDF
What 33 Successful Entrepreneurs Learned From Failure
ReferralCandy
 
PDF
Design Your Career 2018
Slides That Rock
 
PPTX
Why Content Marketing Fails
Rand Fishkin
 
PDF
The History of SEO
HubSpot
 
PDF
How To (Really) Get Into Marketing
Ed Fry
 
PDF
The What If Technique presented by Motivate Design
Motivate Design
 
PDF
Displaying Data
Bipul Deb Nath
 
PPTX
10 Powerful Body Language Tips for your next Presentation
SOAP Presentations
 
PDF
Crap. The Content Marketing Deluge.
Velocity Partners
 
How to-use-buffer-by-ella
Eleaza Rose Devilleres
 
From Second Screen to Multi-Screen: We Are Social's Guide to Social Screens
We Are Social Singapore
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
SteadyBudget's Seed Funding Pitch Deck
Shape Integrated Software
 
7 Tips to Beautiful PowerPoint by @itseugenec
Eugene Cheng
 
The Minimum Loveable Product
The Happy Startup School
 
How I got 2.5 Million views on Slideshare (by @nickdemey - Board of Innovation)
Board of Innovation
 
The Seven Deadly Social Media Sins
XPLAIN
 
Five Killer Ways to Design The Same Slide
Crispy Presentations
 
How People Really Hold and Touch (their Phones)
Steven Hoober
 
Upworthy: 10 Ways To Win The Internets
Upworthy
 
What 33 Successful Entrepreneurs Learned From Failure
ReferralCandy
 
Design Your Career 2018
Slides That Rock
 
Why Content Marketing Fails
Rand Fishkin
 
The History of SEO
HubSpot
 
How To (Really) Get Into Marketing
Ed Fry
 
The What If Technique presented by Motivate Design
Motivate Design
 
Displaying Data
Bipul Deb Nath
 
10 Powerful Body Language Tips for your next Presentation
SOAP Presentations
 
Crap. The Content Marketing Deluge.
Velocity Partners
 
Ad

Similar to Ruby on Rails security in your Continuous Integration (20)

PPTX
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Codemotion
 
PDF
Continuous security
Kim van Wilgen
 
PPTX
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Codemotion
 
PDF
Shift Left Security
BATbern
 
PPTX
SPI Dynamics web application security 101
Wade Malone
 
PDF
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
PPTX
Making Security Agile
Oleg Gryb
 
PDF
Security as Code: DOES15
Ed Bellis
 
PDF
Security Teams & Tech In A Cloud World
Mark Nunnikhoven
 
PPTX
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
PDF
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
PDF
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
PPTX
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
PPTX
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
PPTX
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
PPTX
Security Observability for Cloud Based Applications
John Varghese
 
PDF
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
PDF
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
DOCX
Resume - Varsharani
Varsharani Kallimath
 
PDF
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
Felipe Prado
 
Kim van Wilgen - Continuous security - Codemotion Amsterdam 2019
Codemotion
 
Continuous security
Kim van Wilgen
 
Kim van Wilgen - Continuous security - Codemotion Rome 2019
Codemotion
 
Shift Left Security
BATbern
 
SPI Dynamics web application security 101
Wade Malone
 
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Making Security Agile
Oleg Gryb
 
Security as Code: DOES15
Ed Bellis
 
Security Teams & Tech In A Cloud World
Mark Nunnikhoven
 
360° Kubernetes Security: From Source Code to K8s Configuration Security
DevOps.com
 
Secure DevOps: A Puma's Tail
Puma Security, LLC
 
Reducing Risk of Credential Compromise at Netflix
SBWebinars
 
Making Security Agile - Oleg Gryb
SeniorStoryteller
 
Automating Your Tools: How to Free Up Your Security Professionals for Actual ...
Kevin Fealey
 
AppSec California 2016 - Making Security Agile
Oleg Gryb
 
Security Observability for Cloud Based Applications
John Varghese
 
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
Resume - Varsharani
Varsharani Kallimath
 
DEFCON 23 - Nir Valtman and Moshe Ferber - from zero to secure in 1
Felipe Prado
 

Recently uploaded (20)

PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Introduction Database Management System for Course Database
ReinertYosua
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Introduction to Artificial Intelligence
lohedi9363
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
AI in Product Development-omnex systems
omnex systems
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 

Ruby on Rails security in your Continuous Integration

  • 1. Confidential & proprietary © Sqreen, 2015 Rails Security Continuous Integration We make products antifragile.
  • 2. Confidential & proprietary © Sqreen, 2015 Jean-Baptiste Aviat Sqreen CTO (https://sqreen.io) Former Apple software security engineer Former white hat hacker Twitter: @JbAviat Email: jb@sqreen.io
  • 3. Confidential & proprietary © Sqreen, 2015 –Agent Smith “Never send a human to do a machine's job.”
  • 4. Confidential & proprietary © Sqreen, 2015 Continuous Integration Quality: automate everything you can Unit tests at every commit Integration tests at every commit Test against a production like stack Maximize confidence for every commit
  • 5. Confidential & proprietary © Sqreen, 2015 –Edsger W. Dijkstra “Testing shows the presence, not the absence of bugs.”
  • 6. Confidential & proprietary © Sqreen, 2015 Static & Dynamic analysis
  • 7. Confidential & proprietary © Sqreen, 2015 Static analysis - Brakeman http://brakemanscanner.org/ Written in Ruby Dedicated to Ruby on Rails Open source: https://github.com/presidentbeef/brakeman Podcast: Ruby Rogues #219
  • 8. Confidential & proprietary © Sqreen, 2015 Static analysis - Jenkins integration Jenkins plugin: https://wiki.jenkins-ci.org/display/JENKINS/Brakeman+Plugin Install Gem on test server Add an adequate test to Jenkins Done.
  • 9. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Arachni http://www.arachni-scanner.com/ Written in Ruby Compatible with any Web application Open source: https://github.com/Arachni/arachni/ Powerful but complex
  • 10. Confidential & proprietary © Sqreen, 2015 Dynamic analysis - Jenkins integration No Jenkins plugin Do it yourself JUnit XML (contact me) Order tests by sensitivity Set a short timeout Dynamic tests: the faster server the better Puma did well
  • 11. Confidential & proprietary © Sqreen, 2015 Demo
  • 12. Confidential & proprietary © Sqreen, 2015 Brakeman detects 2 XSS
  • 13. Confidential & proprietary © Sqreen, 2015 Brakeman detected XSS details Undetected issue Fake issue: @secure is static! Real XSS
  • 14. Confidential & proprietary © Sqreen, 2015 Arachne scan result
  • 15. Confidential & proprietary © Sqreen, 2015 Arachne issue details
  • 16. Confidential & proprietary © Sqreen, 2015 Issues False positives lower CI confidence Cannot test against production (dangerous), lead to more false positives Tools updates depend on maintainers will Need to iteratively adapt your code Vulnerabilities debt (legacy) Security tests are not written by you Need deep attack knowledge to understand them
  • 17. Confidential & proprietary © Sqreen, 2015 Sqreen: you code, we protect We automatically protect your apps Strong and transparent Beta program available: Come and see me if you have Rails or Sinatra based applications Sqreen is hiring : http://sqreen.io/jobs.html