Brakeman

[Nytro]

This tool, developed in 2010 by Justin Collins (@presidentbeef) is specifically for finding vulnerabilities and security issues in Ruby on Rails apps at any development stage.

Brakeman is used by the likes of Twitter (where Justin is employed), GitHub, and Groupon to look for vulnerabilities. Justin gave a talk at RailsConf 2012 that’s worth watching describing the value of using SCA early on and how Brakeman accomplishes that.

The Good:

Easy setup and configuration and fast scans.

Because it’s specifically built for Ruby on Rails apps, it does a great job at checking configuration settings for best practices.

With the ability to check only certain subsets, each code analysis is able to be customizable to specific issues.

The developer has been maintaining and updating the tool on a regular basis since its first release.

The Not-So-Good:

Because of its suspicious nature, the tool can show a high rate of false positives

As written on the tool’s FAQ page, just because a report shows zero warnings doesn’t mean your application is flaw-free; “There may be vulnerabilities Brakeman does not test for or did not discover. No security tool has 100% coverage.”

Sursa: Brakeman - Rails Security Scanner