Railroader is a security scanner for Ruby on Rails applications.
Unlike many web security scanners, Railroader looks at the source code of your application. This means you do not need to set up your whole application stack to use it.
Once Railroader scans the application code, it produces a report of all security issues it has found.
No Configuration Necessary
Railroader requires zero setup or configuration once it is installed. Just run it.
Run It Anytime
Because all Railroader needs is source code, Railroader can be run at any stage of development: you can generate a new application with
rails new and immediately check it with Railroader.
Since Railroader does not rely on spidering sites to determine all their pages, it can provide more complete coverage of an application. This includes pages which may not be ‘live’ yet. In theory, Railroader can find security vulnerabilities before they become exploitable.
Railroader is specifically built for Ruby on Rails applications, so it can easily check configuration settings for best practices.
Each check performed by Railroader is independent, so testing can be limited to a subset of all the checks Railroader comes with.
While Railroader may not be exceptionally speedy, it is much faster than “black box” website scanners. Even large applications should not take more than a few minutes to scan.
Only the developers of an application can understand if certain values are dangerous or not. By default, Railroader is extremely suspicious. This can lead to many “false positives.”
Railroader assumes a “typical” Rails setup. There may be parts of an application which are missed because they do not fall within the normal Rails application layout.
Only Knows Code
Dynamic vulnerability scanners which run against a live website are able to test the entire application stack, including the webserver and database. Naturally, Railroader will not be able to report if a webserver or other software has security issues.
Railroader cannot understand everything which is happening in the code. Sometimes it just makes reasonable assumptions. It may miss things. It may misinterpret things. But it tries its best. Remember, if you run across something strange, feel free to file an issue for it.
The best course of action is to use both Railroader and a regular website security scanner. They are complementary approaches.
If you happen to use the Hudson/Jenkins continuous integration tool, there is a Railroader plugin for it.