Brakeman, a static analysis tool- interview with Justin Collins, creator of the tool

Dear Readers,

today we present you an interview with Justin Collins who is the creator of Brakeman tool- a static analysis tool. He told us how does the tool work and about its new version. Enjoy reading!

justincollins[PT] Can you please introduce yourself to our readers?

[JC] Hi, I am Justin Collins, the original creator and maintainer of Brakeman, an open source static analysis security tool for Ruby on Rails. Brakeman started my career in security, and now I have worked at AT&T Interactive, C, and SurveyMonkey as an application security engineer. I earned a BS in Computer Science from Seattle University and a PhD in Computer Science from University of California, Los Angeles.






[PT] What are your thoughts about trends in developing vulnerability scanners?

[JC] In the past there have been large, clunky security tools made for security professionals. Being large and clunky, very few people are interested in running them and evaluating the results. The trend I see (and hope continues) is towards automated, proactive security. Instead of fixing security vulnerabilities, we should be preventing them.

For static analysis security tools, like Brakeman, it is best to deploy it as part of the software development cycle. The earlier in the development a security tool can provide feedback, the faster vulnerabilities can be addressed, and then vulnerabilities can be prevented from ever reaching production. To be useful, tools must be fast, accurate, and easy to automate. Older security products struggle with this, but newer ones will have to work this way to get developers to adopt them.

[PT] Please tell us more about your tool, Brakeman.

[JC] Brakeman analyzes the source code of Ruby on Rails applications and warns about potential security vulnerabilities. It’s primarily used as a command line tool and can easily be automated and integrated into the build/test process.

What sets Brakeman apart from many other static analysis tools is data flow analysis. Rails applications tend to have a common controller to view flow of information. Brakeman can track values from controller actions and filters to their eventual output, as well as doing local data flow inside methods. However, it is selective about where it performs the analysis, since it can be pretty slow.

There is a balance between how broad the analysis can be and how fast the tool runs. The open source version of Brakeman tries to remain as fast as possible. Typical scans are between 30 seconds and a couple minutes.

[PT] How did you came up with the idea of creating Brakeman?

[JC] I started developing Brakeman as an intern at AT&T Interactive in 2010 while working on my PhD. Without knowing anything about security, I had proposed it as a way of preventing cross-site scripting in their Ruby on Rails applications. I had taken some classes on static analysis and compilers, so I didn’t think it would be too hard. Famous last words.

[PT] Have you had any difficulties with creating it?

[JC] There have been many challenges along the way. Many people are quite skeptical of static analysis for dynamic languages like Ruby or JavaScript. The main difficulty - with any static analysis tool - is that it must deal with any possible code someone could write. People write very strange code! I now run every Brakeman change against over 350 applications to check for regressions.

[PT] What is the most important difference between the open source and commercial versions of your tool?

[JC] The most visible difference in Brakeman Pro is a desktop GUI for managing scan results and efficiently triaging reported warnings. The GUI is considerably more convenient when investigating potential security vulnerabilities since it can display more information and you can keep track of which warnings you have validated.

Just recently, we launched the Brakeman Pro Engine. Amongst other features, it is now extremely easy to add Brakeman Pro as just another assertion in an application’s test suite. It's a bit harder to see and explain the analysis enhancements - but they are included as well and improving over time.

[PT] If we speak about the open source version, how do you feel about sharing your work with others?

[JC] I am a big believer in open source. It has been essential for the success of Brakeman. Without being open source, I doubt anyone would have used it. For a static analysis tool, it’s critical that it be run on many different code bases and that users feel free to report problems and suggest improvements. Since Brakeman is free and open source, it has a broad user base and has now become the main security tool for Rails applications.

[PT] Not too long ago, you celebrated the 6th birthday of your tool. Have you got any special plans or wishes, that you can share with us?

[JC] It is amazing that Brakeman was released to the public six years ago. I am excited to start working towards Brakeman 4.0, which will include a new default report format as major feature.

My “birthday wish” is to have everyone who is working on a Ruby on Rails application use and benefit from Brakeman.

[PT] Thank you for the interview. Have you got any final thoughts? Is there anything you would like to add?

[JC] One drawback of static analysis is that each language/framework needs its own implementation. I encourage people to build source code analyzers for as many uses as possible. It’s not hard to get started - begin with one issue you would like to detect and build from there.

Thank you for the questions!


  1. Brakeman at GitHub

  2. Brakeman website

February 22, 2017
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013