Brakeman Pro vs. Open Source Brakeman

We love it. I have, in fact, evangelized it to some of our engineering teams that use ROR. I am not sure if they have decided to step up to commercial, but I strongly recommended it. It is a great tool and it saves me a huge amount of time and effort.

Fortune 50 Communications Company

Feature Brakeman OSS Brakeman Pro Engine Brakeman Pro Desktop
Fast source code security scans
Zero configuration required
Detects 20+ vulnerability types
Run at any point in development
Rails data flow analysis
JSON reports
False positive management
Command line interface
Minitest/RSpec Integration
Graphical desktop interface
Manage all reports in one place
Filter, sort, and search warnings
Track validated warnings
Create custom rules
Quickly explore action filters
Extended warning explanations
Syntax-highlighted code views
Store notes per warning
Analysis of view helpers
Deeper controller analysis
Render path navigation
Detect dynamic evaluation
Detect use of basic authentication
PDF reports
OWASP Top 10 mapping
Commercial support

Information about Brakeman Pro

Brakeman Pro's relationship with the open source Brakeman project

Justin Collins, the president of Brakeman, Inc., is the original author of Brakeman. Co-founder Neil Matatall is the next largest open source contributor to the Brakeman project. We remain committed to the open source project, which is not owned by nor controlled by any corporate entity. In fact, work on the Brakeman Pro side has already resulted in many improvements to the open source project. We belive that maintaining and supporting the open source Brakeman project demonstrates our commitment to integrity.

What is different about Brakeman Pro? Why not use the free version of Brakeman?

The most obvious difference is the Brakeman Pro GUI, which is not available in the open source version. However, the differences go deeper than just the interface.

The goals of open source Brakeman are to be simple to use, fast, and as accurate as possible (low false positive rate). Open source Brakeman should be easily accessible even to those new to security tools, it should be fast enough to run as part of continuous integration, and it should have few enough false positives to not annoy users too much. Brakeman Pro, on the other hand, provides a more complicated interface, performs slower but deeper scans, and provides as much information as possible (which may lead to more false positives). However, Brakeman Pro also makes it easy to manage false positives.

Additionally, once an open source Brakeman report is generated, it is up to the user to manage the reports. Brakeman Pro provides a streamlined interface to manage warnings and reports across multiple scans and projects.

The Brakeman Pro engine diverges from the open source engine to provide more warnings, deeper analysis, and a wider breadth of information about the Rails applications being scanned. The goal is to provide a detailed picture of Rails applications from a security standpoint and enable users to quickly search for security vulnerabilities.

Does Brakeman Pro find more vulnerabilities?

Given the additional rules included in Brakeman Pro, it is very likely to return more warnings than the open source version of Brakeman.

Improvements to the scanning engine lead to discovering more potential vulnerabilities and also reducing false positives in some cases.