Scan Ruby-based apps for security issues with Dawnscanner
Dawnscanner is an open source static analysis scanner designed to review the security of web applications written in Ruby.
Its developer, Paolo Perego, says that he was motivated to create it back in spring 2013, when he needed a tool to review a number of Sinatra-powered security apps, but couldn’t use the Brakeman Scanner as it supports only the testing of Ruby on Rails applications.
“Dawnscanner is not tied to a particular MVC (Model View Controller) framework. It is able to review code of Sinatra, Padrino and Ruby on Rails applications, and we plan to add support for Hanami (formerly Lotus for Ruby) in the future,” he told Help Net Security.
The tool is currently able to perform 230 security checks, covering issues from CVE/OSVDB bulletins and the OWASP Ruby on Rails security cheatsheet. It is also able to spot security issues related to the Ruby interpreter version developers are using for their projects.
Dawnscanner has no GUI, but has command line flags to help people using it in their own application security pipeline. It provides several formatting options for reporting, and can store scan results in a designated folder so developers can keep a history of security findings. Scan results list found vulnerabilities, and and offer mitigation options for them.
Short- and long-term plans
Paolo’s plans for the tool are many. He wants to add support for the Hanami framework and pure Rack applications, make Dawnscanner able to parse custom code to spot OWASP Top 10 security issues, and achieve a tight GitHub integration, so that the tool is able to consume a GitHub URL as an input parameter, download the report, bundle-install dependencies, and start analyzing the code.
If you notice that these plans contrast with the provided Dawnscanner development roadmap, be aware that the roadmap is also in need of an update.
Paolo is currently working on changing the way Dawnscanner manages its knowledge base, so that the knowledge base can be updated automatically, and a change in it does not lead to a new Dawnscanner gem release.
“With a full time job, 2 kids and, well, life, it’s really hard to be always on, pushing new code, fixing bugs and so on. There are periods of time in which I had to put energies on different topics,” he notes.
He’s aware that Dawnscanner is no longer a side project “just for fun”, and that people rely on it for their code production.
“Working on a tool designed to be consumed by a community trained to implement agile software development and to release often is really challenging,” he points out.
“They don’t have much time to spend over security issues not strictly related to their business/product. Dawnscanner (and other security tools) must be proactive, always on the move and they must talk in the developers’ language in order to give pointers and instructions that are easy to consume.”
Another problem he encountered while working on the tool is the general lack of awareness of the importance of signing Ruby gems.
“Dawnscanner is digitally signed, and I believe it’s very important to provide people a means to be sure that they’re using a software version that has not been tampered with by a third party. Some of Dawnscanner’s dependencies are, however, not signed, or have an expired signing certificate, and this makes the Dawnscanner installation (with signature verification) fail,” he explains. Users complain to him about third-party expired certificates, but there’s not much he can do about it.
Paolo is proud of his creation, but knows its limitations – he knows that a code review tool can’t be guaranteed to spot all security issues. He advises developers to manually inspect sensitive code, and follow up static analysis with a full application penetration test, to ensure the detection of security issues at runtime.