Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free. Learn more →
Top 23 Ruby Security Projects
Metasploit FrameworkProject mention: Using metasploit to stage your own payloads | dev.to | 2022-12-01
Take a look at the source for stager_sock_reverse - the stager for linux/x64/shell/reverse_tcp.
WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.Project mention: WPScan | reddit.com/r/HackProtectSlo | 2022-09-26
Build time-series-based applications quickly and at scale.. InfluxDB is the Time Series Data Platform where developers build real-time applications for analytics, IoT and cloud-native services in less time with less code.
A static analysis security vulnerability scanner for Ruby on Rails applicationsProject mention: Github Pre-commit Hook Setup In Ruby On Rails for maintaining coding standards and productive. | dev.to | 2022-08-28
It’s assumed that you already have a Rails app and use Brakeman to keep your app secure and Rspec to run your test cases.
Rack middleware for blocking & throttlingProject mention: Rack-attack gem setup to protect Rails and Rack apps from bad clients | dev.to | 2022-08-08
Rack middleware for blocking & throttling abusive requests. Protect your Rails and Rack apps from bad clients. Rack::Attack lets you quickly decide when to allow, block, and throttle based on the properties of the request. Using this gem you can save your web application from attacks, we can whitelist IPs, Block requests according to requirements, and many more… Install Rack-attack gem: # In your Gemfile gem 'rack-attack' Enter fullscreen mode Exit fullscreen mode Plugging into the application Then tell your ruby web application to use rack-attack as a middleware. # config/application.rb # rack attack middleware config.middleware.use Rack::Attack Enter fullscreen mode Exit fullscreen mode Once you’ve done that, you’ll need to configure it. You can do this by creating the file, config/initializers/rack-attack.rband adding the rules to fit your needs. You can disable it permanently (like for a specific environment) or temporarily (can be helpful for specific test cases) by writing: Usage Safe listing Safelists have the most precedence, so any request matching a safelist would be allowed despite matching any number of blocklists or throttles. safelist_ip(ip_address_string) Rack::Attack.safelist_ip(“18.104.22.168”) Enter fullscreen mode Exit fullscreen mode safelist_ip(ip_subnet_string) Rack::Attack.safelist_ip(“22.214.171.124/24”) Enter fullscreen mode Exit fullscreen mode safelist(name, &block) Name your custom safelist and make your ruby-block argument return a truthy value if you want the request to be allowed, and false otherwise. Blocking blocklist_ip(ip_address_string) Rack::Attack.blocklist_ip(“126.96.36.199”) Enter fullscreen mode Exit fullscreen mode blocklist_ip(ip_subnet_string) Rack::Attack.blocklist_ip(“188.8.131.52/16”) Enter fullscreen mode Exit fullscreen mode blocklist(name, &block) Name your custom blocklist and make your ruby-block argument return a truthy value if you want the request to be blocked, and false otherwise. Throttling *throttle(name, options, &block) *( provide limit and period as options) Throttle state is stored in a configurable cache (which defaults to Rails.cache if present). Name your custom throttle, provide limit and period as options, and make your ruby-block argument return the discriminator. This discriminator is how you tell rack-attack whether you’re limiting per IP address, per user email, or any other. For example, if we want to restrict requests other than defined routes and display a custom error page. Error page: If we want to restrict requests/IP and if the request limit increases then send a reminder mail. For Example, we want to allow only 300 requests per 30 seconds after that will restrict requests from this IP till the next 30 seconds interval starting. Get error mail if the limit is extended. Performance The overhead of running Rack::Attack is typically negligible (a few milliseconds per request), but it depends on how many checks you’ve configured, and how long they take. Throttles usually require a network roundtrip to your cache server(s), so try to keep the number of throttle checks per request low. If a request is blocklisted or throttled, the response is a very simple Rack response. A single typical ruby web server thread can block several hundred requests per second. Sample rack-attack.rb file For more information: https://github.com/rack/rack-attack If this guide has been helpful to you and your team please share it with others!
Next generation web scanner
Manages application of security headers with many safe defaults
Authorization service and frontend for Docker registry (v2)
Static code analysis for 29 languages.. Your projects are multi-language. So is SonarQube analysis. Find Bugs, Vulnerabilities, Security Hotspots, and Code Smells so you can release quality code every time. Get started analyzing your projects today for free.
InSpec: Auditing and Testing FrameworkProject mention: Ruby: "the best" language for general automation | dev.to | 2022-05-12
The course uses Chef Inspec, an open source Ruby DSL. I made a POC with this tool to automatically check repositories on GitHub, checks like if it contains a gitignore consistent with the language used, if node_modules is not present, etc.
Patch-level verification for BundlerProject mention: What are the gems that every Ruby dev should know how to use? | reddit.com/r/rails | 2022-08-03
bundler-audit - check for known security issues
⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
A key value store for storing per-developer environment and application keys
:key: Community-driven Rails Security Checklist (see our GitHub Issues for the newest checks that aren't yet in the README)
Linting tool for CloudFormation templatesProject mention: Creating a Multi-Account CI/CD Pipeline with AWS CodePipeline | dev.to | 2022-11-06
CodeBuild will run a linting check against the CloudFormation Template using cfn-lint and will then run cfn-nag to check for patterns that indicate insecure resources within the CloudFormation template.
🔐 A dead-simple application to securely communicate passwords over the web. Passwords automatically expire after a certain number of views and/or time has passed.Project mention: Password sharing | reddit.com/r/sysadmin | 2022-11-08
Ruby FFI binding to the Networking and Cryptography (NaCl) library (a.k.a. libsodium)Project mention: Ruby cryptographic gems | dev.to | 2022-06-04
The other gem I want to explore is rbnacl. This gem provides general purpose cryptography for many different scenarios and algorithms. They do so in a simplified way so that mortals like us don't have to become cryptography experts. Check out these docs to see what I'm talking about!
:honey_pot: Unobtrusive and flexible spam protection for Rails apps
A small Ruby gem to generate YouTube-like hashes from one or many numbers. Use hashids when you do not want to expose your database ids to the user.
Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.Project mention: Security Risks On Rails: Misconfiguration and Unsafe Integrations | dev.to | 2022-01-26
Other useful gems you may take a look at are dawnscanner, reek, and hakiri_toolbelt.
Kubernetes RBAC static analysis & visualisation toolProject mention: Data and System Visualization Tools That Will Boost Your Productivity | dev.to | 2022-06-13
Krane is a tool that can generate graph showing relationships between all roles and subjects. Krane also has many more features, including RBAC risk assessment, reporting and alerting, as well as querying/interrogating RBAC rules with CypherQL.
A security extension for devise, meeting industry-standard security demands for web applications.Project mention: Best authentication in 2022? Devise, Clearance, OAuth, anything else? | reddit.com/r/rails | 2022-07-19
Rodauth is IMO the most feature-complete and the most stable. It ships with "enterprise"-grade features such as single session, session expiration, password expiration, password complexity requirements, disallowing common passwords, and disallowing password reuse (basically what devise-security extension provides).
Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.Project mention: Automated capturing & documenting infra for AWS (EKS, IAM, VPC etc.) | reddit.com/r/msp | 2022-09-02
For an open source approach, tools from the security realm could potentially be a fit (keyword: aws recon), e.g. https://github.com/darkbitio/aws-recon
CIS Docker Benchmark - InSpec ProfileProject mention: A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 1) | dev.to | 2022-10-29
Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
Truly a developer’s best friend. Scout APM is great for developers who want to find and fix performance issues in their applications. With Scout, we'll take care of the bugs so you can focus on building great things 🚀.
Ruby Security related posts
Using metasploit to stage your own payloads
1 project | dev.to | 1 Dec 2022
What is Metasploit- Overview, Framework, and How it is Used?
1 project | reddit.com/r/startups | 30 Nov 2022
1 project | reddit.com/r/metasploit | 29 Nov 2022
Isn't TOR secure enough? Why the need for VPN and VIRTUAL BOX
1 project | reddit.com/r/TOR | 29 Nov 2022
best way to find exploits from a vulnerability report?
1 project | reddit.com/r/techsupport | 28 Nov 2022
Python hacking lib
2 projects | reddit.com/r/Python | 11 Nov 2022
6 projects | reddit.com/r/sysadmin | 8 Nov 2022
A note from our sponsor - SonarQube
www.sonarqube.org | 2 Dec 2022
What are some of the best open-source Security projects in Ruby? This list will help you: