2

I would like to know whether there are any free tools available which can be used to test security vulnerabilities in a rails app. I came across skipfish, which I found was not very intuitive in its report. Are there any similar tools available?

Update

I've found a tool, ZAP, which can be used for doing penetration testing for any Web applications. You can easily automate it by integrating it with testing tools such as Selenium. This looks really cool and has many features and easy to use too.

Leena

leenasn
  • 1,466
  • 10
  • 16

2 Answers2

4

Rails Best Practices already mentioned is very good for general code quality checks, but specifically for security vulnerabilities checks, definitely have a look at Brakeman, "an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development".

You could also hook your app in to Rails Brakeman to have the Brakeman security report run every time you do a commit at Github.

Paul Fioravanti
  • 16,423
  • 7
  • 71
  • 122
  • Thanks @Paul, [Brakeman](http://brakemanscanner.org/) looks interesting. Will check that for sure. – leenasn Jul 04 '12 at 06:03
  • 2
    There's also the brakeman [jenkins plugin](https://github.com/jenkinsci/brakeman-plugin) as well as [guard-brakeman](https://github.com/guard/guard-brakeman) ;) – oreoshake Sep 07 '12 at 20:45
  • 1
    I suggest also giving [codesake-dawn](https://github.com/codesake/codesake-dawn) a try. Codesake::Dawn is a security source code scanner with more than 140 security checks, It's similiar do brakeman and it supports also Sinatra and Padrino frameworks. Disclaimer: I'm Codesake::Dawn author... it would be great to me having some feedback to improve the tool even more. – Paolo Perego Feb 13 '14 at 15:27
1

I can see only the book about it Rails Security Guides

To overall check your code use rails_best_practices gem

Anatoly
  • 15,298
  • 5
  • 53
  • 77
  • Thanks for your reply. I was looking for some tools which can be used for doing security testing as part of our build process. – leenasn Jul 21 '11 at 04:14