In its almost six years of existence, Brakeman has become the de facto static analysis security tool (SAST) for Ruby on Rails. With nearly 3 million gem downloads, it is used by developers and security professionals alike, for personal projects, and at companies large and small. It is integrated into several SaaS offerings and is a part of the development pipeline at many companies.
This is an overview of what we think makes Brakeman special and enduring.
Brakeman was designed from the beginning to be easy for anyone to use, right out of the box. It is installed like any other Ruby gem and can be run in the root of an application with zero arguments to get started quickly.
It is common for security tools to be built by and for security professionals, but Brakeman is intended for anyone to use, especially software developers. While there is always work to be done to make the documentation more robust and informational, Brakeman is a valuable tool for learning about Rails security without much prior knowledge.
Care is also taken to ensure Brakeman can be easily integrated into testing flows with JSON output and the ability to compare reports. Security should be automated as much as possible, and Brakeman tries to make it convenient to build into your development process.
What separates Brakeman the most from the majority of open source SASTs is its use of data flow analysis. Brakeman performs local (intraprocedural) data flow inside individual methods, where it tracks assignments, manages conditional branches, performs simple arithmetic, and more. (You can learn more at Ruby Remote Conf in June.) This provides a more accurate view of application code than simply searching the code without any evaluation.
More importantly, Brakeman models the flow of information in a Rails application from controllers (and filters) to views and partials. This is critical to finding vulnerabilities and avoiding false positives in code that would otherwise appear innocuous without deep investigation.
Both an advantage and a disadvantage, Brakeman’s rules are considerably more complex than most open source SASTs. No, Brakeman does not just do textual pattern-matching! And most rules are more complex than just matching patterns in the abstract syntax tree. The value of a static analysis tool is using the information present in the code (and inferred from the Rails stack) to find potentially vulnerable code.
While false positives are just part of life for security tools, considerable effort is taken to avoid them in Brakeman. Even for CVE warnings Brakeman typically attempts to check for direct uses of official workarounds, as well as adjusting severity based on whether or not it can detect actual vulnerable code in the application.
One advantage Brakeman Brakeman has is hard to replicate: nearly six years of development. Back in 2010, Rails 3 was cutting edge and Ruby 1.9.3 was not yet released. Brakeman had to work with Rails 2.3.x and Ruby 1.8. Since its initial release, Brakeman has adapted to support Rails 3, 4, and soon Rails 5 applications, as well as Ruby 1.9.x and 2.x (thanks to RubyParser). Brakeman continues to support scanning ancient Rails applications - which probably need it most!
There is no doubt much of Brakeman’s success is due to its free and open nature. For a static analysis tool, having many users run it in many different setups and across varied applications and code bases is critical. People write the strangest code and there is no way the author of a tool can test all possible cases. Contributions from the community, even just bug reports, are essential for Brakeman to continue being the best Ruby on Rails SAST.
Brakeman can be viewed as a codification of security knowledge from many sources, from security guides to security professionals to regular developers. Over the years many people have contributed ideas, vulnerabilities, and code to make Brakeman a powerful, free security tool for anyone who needs it.
When development of Brakeman began six years ago, it was assumed Brakeman would simply be a stop-gap until commercial tools gained support for Ruby and Rails. For the most part, that support has not materialized. For many users, Brakeman remains the best option for testing Rails security via static analysis.
Brakeman will remain free and open and development will continue as long as it remains useful.
However, if you are using Brakeman for commercial security assessments or to keep your company’s applications secure, consider supporting continued Brakeman development via Brakeman Pro.
Thank you to everyone who has contributed to and supported Brakeman over the years!