Interview with Justin Collins on Brakeman and Rails security at RailsConf 2014

Hi, it’s Mike with UGtastic. I’m here again at RailsConf 2014 and I’m standing here with Justin Collins. Justin is going to be doing a talk tomorrow called “Tales from the Crypt” but he’s also the creator of the Brakeman Gem. Well, thank you very much for taking the time to speak with me. First, can we start with the Brakeman Gem? Because I’m a fan, but I’d like you to describe what it is. Sure. So, the Brakeman Gem is a static analysis security tool for Ruby on Rails applications. So, it looks at your source code, finds potential vulnerabilities, and lets you know about them. Great. But wait, it’s a dynamic language. How can we do any kind of static analysis? Oh, boy. So, I’ve talked about that quite a bit. You know, the important thing for a security tool is just finding stuff. And, yes, static analysis security purists may be upset because you can’t prove certain things or you can’t analyze certain things. But for a security tool, it’s really not that important that it be perfect, but just that we’re able to identify potential problems inside the source code. So, it’s kind of like if you, just because you can’t maybe identify everything, it doesn’t mean that it’s going to work. Yeah. So, it’s kind of like if you, just because you can’t maybe identify everything, it doesn’t mean that it’s going to work. Yeah. So, it’s kind of like if you, just because you can’t maybe identify everything, it doesn’t mean that it’s going to work. Yeah. So, it’s kind of like if you, just because you can’t maybe identify everything, it doesn’t mean that it’s going to work. mean you shouldn’t identify exactly exactly so so what kind of inspired you to create sov right then um it’s kind of a long story but uh basically i got an internship on a security team at att interactive and i had proposed during my interview something like this knowing nothing about security or rails or i mean i knew what it was but no experience with rails i proposed hey what if you just had a tool that found this stuff for you right and then they said hey why don’t you work on a tool that would find this stuff for us um and they were nice enough to allow me to open source it at the end of my internship and then i worked for them later uh as well on it so so security is something that you’re have a passion about um i mean i fell into it by accident you know like i just happened to get an internship on a security team no real uh security experience before that but um i you know i’ve been able to create a tool that’s been really helpful for people and through that tool i’ve gotten into the security community and you know i i think as a developer there’s always an advantage to being a developer and having security knowledge because a lot of times the security community is not perceived as being very nice people or very smart people sometimes by developers who are like i’m just trying to get stuff done they’re always blaming me for doing things wrong but what they know they don’t even write code right right so it’s always good to be able to bridge that gap and approach people you know in a nice way be a nice person right yeah and and you know i’ve liked being able to run the the brickman analysis on my gem and and a few other you know on my projects a few other uh gems you know along those lines of the rails uh best practices sure and um and then bullet you know anything that can help give a little bit of insight into what’s going on in the code is always great but i was curious you said you can’t cover everything is there something maybe you could think of that you would like to be able to cover but as a common problem it’s just kind of too hard to really pin down that developers on rails projects should be thinking about um wow that’s a really good question um yes i mean there are there are things that are difficult to determine statically there are some things that it would just take too much time to determine and i try to keep up to date with the things that i’ve done and i think that ‘s the best way to do it um so i think that’s the best way to do it for most people um i think one like one good example for example is that uh you know you don’t always know what gems are doing the breakdown doesn’t look at your dependencies um helper methods for example they tend to use html safe a lot because maybe they’re building out tags and you tend to trust those helper methods because somebody wrote it and they probably know what they were doing and in your view it looks like it’s escaped but actually the helper might be setting html safe and building out some tags but they’re also putting in user input now you have cross-site scripting okay and that’s something that brakeman could possibly find but uh right now it can’t so so something to look at is look at your gems if they’re doing dynamic if you’re content generally yeah any kind of content generation any kind of oh i’m using this helper to generate some html you might want to look into that and see what exactly are they doing are they properly escaping the values or are they just calling html safe and and just jamming it in there yeah exactly exactly so it brings me over to your talk the uh it’s it’s a group talk but it’s tales from the crypt yes and i now i’m presuming that ‘s encryption uh that would be a good assumption yeah but we’re actually not going to talk about encryption at all okay yes uh well it’s a very side note okay um to be honest i didn’t notice the pun until after the talk was done oh we should have done something uh with this pun yeah i have some probably because with with open ss all heart bleed stuff encryption is kind of a hot topic right now it is a hot topic but i think everyone’s kind of aware you know i have very non-technical people approach me and say hey what about heart bleed like did that affect twitter you know did should i do something and these are people who are not technical at all and yet they ‘ve heard about it so i don’t think probably people at rails comp don’t need to hear about it even more right right um and that wasn’t the the purpose of our talk the purpose of our talk is just um we really we’re going to present sort of your your worst nightmare one day in the life of a couple developers at a company and it’s just like one security problem after another okay and just kind of trying to demonstrate you know and these things happen i mean people find these problems uh people’s sites get hacked into and so we’re just it’s kind of just a teaching and hopefully we can present some proactive steps to prevent these really bad days from happening well i’m looking forward to your talk and i really appreciate you taking the time to speak with me now no problem thank you thank you great perfect thank you very much yeah man my legs are funny um you know that was uh have some pure static analysis uh or at least information no so the story i was going to tell you uh all right so i i worked with uh not directly worked with aaron but we sat in proximity to each other uh hey group on okay the the first group time the first time yes and um user groups with lots to say interviews and more no way sharing great ideas in the tech community fascinating conversations a plethora of information find out for yourself today at ugtastic.com