[GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby on Rails Applications

Paulo Coimbra paulo.coimbra at owasp.org
Fri Jul 9 11:22:56 EDT 2010


Hello Neil and Justin,

 

First of all, thank you for volunteering to lead an OWASP Project.  It is
with volunteers like yourself that OWASP continues to succeed in making
application security visible.

Second, regarding your new leadership of this project, I'd like to request
that you send a project roadmap - basically the high level details of where
you'd like to take the project.  The OWASP Global Projects Committee (GPC)
will look at the roadmap and provide feedback on your project:  suggesting
projects which are closely related, resources and contacts which may assist
your efforts and any other suggestions to increase your project's success.

 

To get your project started, here are a couple of references for your
review:

 - The Guidelines for OWASP Projects provide a quick overview of items key
to a projects success -
http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects,


 - OWASP's Assessment Criteria is the metric by which projects are
evaluated.  There are three categories for projects: Alpha, Beta, and
Release.  The Assessment Criteria allows project leaders to know what
aspects of projects OWASP values -
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment,

 

 - OWASP's GPC blog - http://globalprojectscommittee.wordpress.com/,


Your project will have an OWASP wiki page to inform and promote your project
to the OWASP community.  To setup your project's page, please provide the
details below so that the GPC can establish your initial project page.  The
details provided will be used to complete OWASP's project template.  Feel
free to add any additional information to wiki page or request assistance
about how to add to your projects wiki page.

Details to create your project page:
(0) Project Name, (done)

(1) Project purpose / overview (done?),
(2) Project Roadmap (as mentioned above),
(3) Project links (if any) to external sites,
(4) Project License
(http://www.owasp.org/index.php/Guidelines_for_OWASP_Projects#Project_Licens
ing),
(5) Project Leader name, (done)

(6) Project Leader email address,
(7) Project Leader wiki account - the username (you'll need this to edit the
wiki),
(8) Project Maintainer (if any)  - name, email and wiki account (if any), 
(9) Project Contributor(s) (if any) - name email and wiki account (if any),
(done)

As your project reaches a point that you'd like OWASP to assist in its
promotion, the GPC will need the following to help spread the word about
your project:

 * Conference style presentation describing the project in at least 3 slides
-
http://globalprojectscommittee.wordpress.com/2009/07/27/what-is-the-3x-slide
-presentation-thing/


 * Project Flyer/Pamphlet (PDF file) -
http://globalprojectscommittee.wordpress.com/2009/07/21/what-is-this-project
-flyerpamphlet-thing/


As work on your project progresses and you are ready to create a release,
please let the GPC know of the change in status.  The GPC can work with you
to get your project assessed and moved up the OWASP quality ladder from
Alpha to Beta to Stable.  Every release does not require an assessment -
feel free to email the GPC if you are unsure about your project's
requirements.  For examples of projects at various quality levels, please
see the OWASP Project page -
http://www.owasp.org/index.php/Category:OWASP_Project

That is all for now - I wish you and your project great success.  Thank you
for supporting OWASP's mission.

Should you have any questions or require any further information, please do
not hesitate to contact me. 

Many thanks, best regards,

 

Paulo Coimbra,

 <https://www.owasp.org/index.php/Main_Page> OWASP Project Manager

 

From: Neil Matatall [mailto:neil at owasp.org] 
Sent: quinta-feira, 8 de Julho de 2010 19:24
To: Paulo Coimbra
Cc: dinis cruz; Justin Collins; tin.zaw at owasp.org;
global-projects-committee at lists.owasp.org
Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for Ruby
on Rails Applications

 

Sounds good to me.

 

On Thu, Jul 8, 2010 at 3:28 AM, Paulo Coimbra <paulo.coimbra at owasp.org>
wrote:

> Hello GPC, Dinis, Justin and Neil,

> 

> 

> 

> Is this the right time to create a wiki page for this project?

> 

> 

> 

> Thanks,

> 

> 

> 

> Paulo Coimbra,

> 

> OWASP Project Manager

> 

> 

> 

> From: global-projects-committee-bounces at lists.owasp.org

> [mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf 

> Of dinis cruz

> Sent: quinta-feira, 8 de Julho de 2010 02:40

> To: Justin Collins

> Cc: tin.zaw at owasp.org; global-projects-committee at lists.owasp.org

> Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for 

> Ruby on Rails Applications

> 

> 

> 

> Interesting, we really should swap notes on how you used the AST to 

> create those traces.

> 

> 

> 

> I think I followed a similar path with the OWASP O2 Platform when I 

> added a static analysis engine for .NET. The O2 traces are created 

> from from the .NET AST and are based on the concept of 'Method 

> Streams' (which is a dynamically created file that: "...for a staring 

> method X  contains all relevant methods that are (recursively( called 

> from that method)). See here for a couple examples:

> 

> http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_Example

> http://o2platform.com/wiki/O2_.NET_AST_Scanner_-_HacmeBank_-_SQL_Injec

> tion_PoC

> 

> Let me know when you have published the (code under an Open Source 

> license), so that I can integrate it with O2.

> 

> 

> 

> When you are ready, I really would like to give you a guided tour of 

> O2, since there are a lot of features and capabilities in there that 

> will make your live much easier (and prevent you from having to 

> re-invent the wheel)

> 

> 

> 

> We also need to collaborate on the schema for the rules so that we 

> have an unified standard across engines and languages

> 

> Dinis Cruz

> 

> Blog: http://diniscruz.blogspot.com

> Twitter: http://twitter.com/DinisCruz

> Web: http://www.owasp.org/index.php/O2

> 

> On 8 July 2010 00:51, Justin Collins <jcollins at attinteractive.com> wrote:

> 

> Hi Dinis,

> 

> - is the code published?

> 

> Not yet.

> 

> - is it in a working state, i.e can it already find vulnerabilities?

> 

> Yes. It can detect the ones listed below, plus more.

> 

> - does it perform taint analysis on the code?

> 

> It does track variables, but it makes the basic assumption that 

> request parameters and database values are untrusted. At the moment, 

> it does not do anything fancier than that.

> 

> - how does it work internaly? (does it build an internal 

> representation if the code? Does it work on top of the source code 

> AST?)

> 

> It works from the AST, which it pares down to the "interesting" parts. 

> It makes a pass over the AST to propagate variable values, 

> particularly from controllers to views. It also manages a central data 

> structure with specific parts of the Rails app that it has gathered 

> (such as routes, controller names, etc). Once the structure is set up, 

> it gets passed to a set of checks which look for specific vulnerabilities.

> 

> - how are the security rules created, edited and stored?

> 

> At the moment, the rules are just Ruby code, although each check is 

> managed independently. It is possible to create a better plug-in or 

> rule-based architecture.

> 

> - is it possible to export the artifacts and results created? (if so 

> on what

> formats?)

> 

> This is entirely possible, as there is already rudimentary support for 

> Ruport (http://rubyreports.org) which supports CSV, PDF, HTML, and 

> text reports.

> 

> -Justin

> 

> -----Original Message-----

> From: dinis cruz [mailto:dinis.cruz at owasp.org]

> 

> Sent: Saturday, July 03, 2010 6:07 AM

> To: Neil Matatall

> Cc: global-projects-committee at lists.owasp.org; Justin Collins

> Subject: Re: [GPC] OWASP Project - Brakeman - Static-ish Analysis for 

> Ruby on Rails Applications

> 

> This is great and perfect for OWASP.

> 

> Couple questions:

> - is the code published?

> - is it in a working state, i.e can it already find vulnerabilities?

> - does it perform taint analysis on the code?

> - how does it work internaly? (does it build an internal 

> representation if the code? Does it work on top of the source code 

> AST?)

> - how are the security rules created, edited and stored?

> - is it possible to export the artifacts and results created? (if so 

> on what formats?)

> 

> Dinis Cruz

> 

> On 3 Jul 2010, at 00:38, Neil Matatall <neil at owasp.org> wrote:

> 

>> I just wanted to get a feeler, I can provide the rest if there is 

>> interest.  It is still in development.  This tool is being developed 

>> for AT&T Interactive with the plan of open sourcing it.

>> 

>> A - PROJECT

>> 

>>   1. Project Name - Brakeman

>>   2. Project Purpose - Scan Rails applications and look for potential 

>> vulnerabilities

>>   3. Project License - LGPL?

>>   4. Project Leader - Justin Collins

>>   5. Project Maintainer - TBD

>>   6. Project Contributor(s) - Justin Collins

>> 

>> Can detect:

>> -Bad string interpolation in calls to Model.find, Model.last, 

>> Model.first, and instances of Model, as well as chained calls ending 

>> in 'find' (SQL Injection) -String interpolation in find_by_sql (SQL 

>> Injection) -String interpolation or params in calls to system, exec, 

>> and syscall and `` (Command Injection) -Unrestricted mass assignments 

>> -Global restriction of mass assignment -Missing call to 

>> protect_from_forgery in ApplicationController (CSRF

>> protection)

>> -Default routes, per-controller and globally -Redirects based on 

>> params (probably too broad currently)

>> 

>> General capabilities:

>> -Search for method calls based on target class and/or method name 

>> -Determine 'output' of templates using ERB, Erubis, or HAML

>> 

>> --

>> 

>> Neil

>> _______________________________________________

>> Global-projects-committee mailing list 

>> Global-projects-committee at lists.owasp.org

>> https://lists.owasp.org/mailman/listinfo/global-projects-committee

> 

> 

 

 

 

 

-- 

 

--

 

Neil

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20100709/c7cd1e56/attachment-0001.html 


More information about the Global-projects-committee mailing list