Securing OneLogin for our Customers with Brakeman

September 23rd, 2014   /     /   product and technology

I am always looking for ways to increase our security posture so we can better protect our customers and their data. Recently, we added the Brakeman security scanner to our development security portfolio. With Brakeman and TravisCI, our continuous integration framework, OneLogin has enhanced our secure development process so that we have automated security scanning for every commit.

Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development. OneLogin selected Brakeman because it is a tool specifically tailored to Ruby on Rails applications. It’s much more than a simple grep/search tool, it actually parses the Ruby code and then processes the application. This allows the tool to eliminate a lot of false positives.

Travis CI is a hosted continuous integration and deployment system we use for testing our codebase. All new code is automatically tested and any errors are reported to the engineers. This automated testing is great for catching errors that might otherwise be missed.

Brakeman has already caught several potential vulnerabilities and we were able to fix them before the code was merged into the application. This is really awesome because we are not only more secure, but it didn’t require an engineer to constantly review code - saving us engineering hours and eliminating the possibility the engineer will miss the vulnerability in review.

Through the setup, we found surprisingly few resources on how people had previously integrated Brakeman with Travis CI so we decided to write this blog post about our experience.

Setting up Travis CI to run on your github repository is out of scope for this blog, but documentation is available at Travis CI.

After Travis CI is setup and automatically running on all new code, the process of integrating Brakeman is simple:

1. Setup .travis.yml to install brakeman and run our brakeman.rb script.

  ...
  before_script:
    - gem install brakeman
  ...
  script:
    - ruby -rubygems spec/travis/brakeman.rb
 

There are other options, like adding brakeman dependency to the Gemfile and generating a rake task.

2. Create spec/travis/brakeman.rb:

  require 'brakeman'
  tracker = Brakeman.run :app_path => "", :quiet => false

  puts tracker.report
  if tracker.filtered_warnings.length === 0
    puts "Brakeman did not find any new vulnerabilities."
  else
    tracker.filtered_warnings.each { |warn|
      puts warn
    }
    raise "Brakeman found vulnerabilities!!!!"
  end
 

The script above starts by invoking the library version of Brakeman via Brakeman.run. After printing the report, we check to see if filtered_warnings is 0 and if it is then we’re good to go; filtered_warnings is discussed more below. If filtered_warnings is not zero, then Brakeman found newly introduced vulnerabilities and our script raises an error.

3. Setup config/brakeman.ignore.
Sometimes Brakeman will find false-positives that you wish to ignore. Brakeman 2.5 introduced this functionality with the config/brakeman.ignore JSON file. By using Brakeman’s interactive ignore feature, you can generate a config/brakeman.ignore file that will cause the scanner to not report these findings (that’s why brakeman.rb checks filtered_warnings instead of just warnings).

To generate a config/brakeman.ignore file, change your Brakeman.run call to the following:

tracker = Brakeman.run :app_path => "", :quiet => false, :interactive_ignore => true
  
Then run brakeman.rb via:
ruby -rubygems spec/travis/brakeman.rb
 

Brakeman will prompt you for each vulnerability it has found. Choose ‘i’ to ignore the vulnerability, or ‘a’ to ignore ALL vulnerabilities that brakeman finds. After saving the results, you will have a new config/brakeman.ignore.

And that was it! The summary is modify .travis.yml, add spec/travis/brakeman.rb and config/brakeman.ignore, and then the process should be complete.

About the Author

Rob Fletcher is Lead Security Engineer at OneLogin, where he is responsible for defining and executing security initiatives. His background includes being a Security Engineer for Mozilla and Cisco. Rob is passionate about web application security and web application frameworks. He holds a M.S. from University of Tennessee.

View all posts by Rob Fletcher