4

I want to check one of my RoR projects for security vulnerabilities. So can anybody recommend any gems for my needs?

egoholic
  • 75
  • 4
  • A subtlety to avoid close votes for seeking product recommendation; ask "are there such things as gems that check for vulnerabilities, and if so, how do they compare to an actual penetration test?" – J.A.K. Feb 23 '17 at 09:06

2 Answers2

7

Yes. You want Brakeman, a tool that scans your RoR code for security vulnerabilities

I recommend reading the OWASP Ruby on Rails Security Guide.

You could also try any web pen-testing tool; they are not language-specific. There are many of them. They only find low-hanging fruit, not all security problems, but it can't hurt to use them just in case they find anything your other methods missed. Search on this forum to find more information, e.g., What tools are available to assess the security of a web application?.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
0

Disclaimer: I'm the gem author.

I wrote Codesake::Dawn, a security source code scanner for ruby code. I'm close to release version 1.1.0 with 171 security checks (CVE bulletins and Owasp ROR cheatsheet) included. It works with Sinatra, Padrino and Rails web application out of the box.

It doesn't detect xss introduced in your code... yet :-)

Paolo Perego
  • 175
  • 3