We love it. I have, in fact, evangelized it to some of our engineering teams that use ROR. I am not sure if they have decided to step up to commercial, but I strongly recommended it. It is a great tool and it saves me a huge amount of time and effort.
|Feature||Brakeman OSS||Brakeman Pro Engine||Brakeman Pro Desktop|
|Fast source code security scans||✓||✓||✓|
|Zero configuration required||✓||✓||✓|
|Detects 20+ vulnerability types||✓||✓||✓|
|Run at any point in development||✓||✓||✓|
|Rails data flow analysis||✓||✓||✓|
|False positive management||✓||✓||✓|
|Command line interface||✓||✓|
|Graphical desktop interface||✓|
|Manage all reports in one place||✓|
|Filter, sort, and search warnings||✓|
|Track validated warnings||✓|
|Create custom rules||✓||✓|
|Quickly explore action filters||✓|
|Extended warning explanations||✓|
|Syntax-highlighted code views||✓|
|Store notes per warning||✓|
|Analysis of view helpers||✓||✓|
|Deeper controller analysis||✓||✓|
|Render path navigation||✓|
|Detect dynamic evaluation||✓||✓|
|Detect use of basic authentication||✓||✓|
|OWASP Top 10 mapping||✓|
Justin Collins, the president of Brakeman, Inc., is the original author of Brakeman. Co-founder Neil Matatall is the next largest open source contributor to the Brakeman project. We remain committed to the open source project, which is not owned by nor controlled by any corporate entity. In fact, work on the Brakeman Pro side has already resulted in many improvements to the open source project. We belive that maintaining and supporting the open source Brakeman project demonstrates our commitment to integrity.
The most obvious difference is the Brakeman Pro GUI, which is not available in the open source version. However, the differences go deeper than just the interface.
The goals of open source Brakeman are to be simple to use, fast, and as accurate as possible (low false positive rate). Open source Brakeman should be easily accessible even to those new to security tools, it should be fast enough to run as part of continuous integration, and it should have few enough false positives to not annoy users too much. Brakeman Pro, on the other hand, provides a more complicated interface, performs slower but deeper scans, and provides as much information as possible (which may lead to more false positives). However, Brakeman Pro also makes it easy to manage false positives.
Additionally, once an open source Brakeman report is generated, it is up to the user to manage the reports. Brakeman Pro provides a streamlined interface to manage warnings and reports across multiple scans and projects.
The Brakeman Pro engine diverges from the open source engine to provide more warnings, deeper analysis, and a wider breadth of information about the Rails applications being scanned. The goal is to provide a detailed picture of Rails applications from a security standpoint and enable users to quickly search for security vulnerabilities.
Given the additional rules included in Brakeman Pro, it is very likely to return more warnings than the open source version of Brakeman.
Improvements to the scanning engine lead to discovering more potential vulnerabilities and also reducing false positives in some cases.