I have been trying to do a bit more advertising of Brakeman lately. I have two reasons for doing so: firstly, I think it’s a really useful tool and will make the world a safer place. Secondly, I keep hoping someone else will find bugs in it for me.
One of my design decisions for Brakeman is that it should never crash and should always output some kind of report. I don’t always meet this goal, so I am very interested in any cases where a Rails app will actually make Brakeman fall on its face.
Lately, I have (finally) been putting together a test suite. I’m already finding issues with features I thought were working. Hopefully it will help me avoid embarrassing regressions in the future, too.
If you are in the Los Angeles area, I will be presenting on using Brakeman with Jenkins at the LA OWASP on Wednesday the 25th. Then, next month, I have a similar but unconfirmed talk at LA Ruby. The difference between the two is that I will talk more about Ruby and Rails at the OWASP meeting. At least, I think I will. This blog post is part of my avoiding actually making the slides.
Oh, what is Brakeman? It is a static analysis tool for finding security vulnerabilities in Ruby on Rails applications. It does a pretty good job, most of the time.