GuardRails Helps 800+ Development Teams to Establish DevSecOps with Automated Security Reviews

Making security checks an integral part of the software development process is a much better and cost-effective solution compared to testing the security when your development team is almost done with the project. This is exactly where GuardRails comes in, offering automated vulnerability scanning for code as part of a standard development process that is built in accordance with DevOps approach.

Person Behind the Scenes

Founded 2 years ago by a seasoned security industry professional Stefan Streichsbier, GuardRails gained a reputation of a trusted product very fast. It is now used by SMEs, large enterprises and government-backed teams creating applications and services for entire countries.

Supported Programming Languages

Currently, GuardRails supports scanning of 9 programming languages, and the team is adding more of them continuously:

  • Python,
  • Ruby,
  • JavaScript,
  • Go,
  • Solidity,
  • Java,
  • Elixir,
  • C/C++
Programming languages supported by GuardRails

How does GuardRails work?

Initially, GuardRails worked with GitHub only, but support for GitLab has been added to meet the needs of large enterprises. Support for BitBucket is coming soon. For the typical developer, the process looks as follows:

GuardRails uses open source tools and libraries to check dependencies and detect security issues and vulnerabilities.

GuardRails is currently available both as GitHub application and GitLab integration.

Technology Under the Hood

Working on GuardRails as a third-party contractor, we work with JavaScript as the main programming language. End-to-end integration tests are written in Ruby. For backend development we rely on Node.JS. The frontend for the GuardRails website and the dashboard are written in React. In addition to this, we leverage Docker containers managed by the Docker swarm orchestration system, PostgreSQL as a DBMS, and RabbitMQ as a message broker. GuardRails is now running on Amazon AWS, though previously we used Amazon Lambda as an event-driven serverless platform. For security purposes, endpoints that are used for GitHub and AWS connections are encrypted in transit via TLS. We store the source code from repositories only temporarily during the scanning process. Once it’s scanned, GuardRails removes it entirely and securely.

The Dashboard

After the GuardRails app is linked to the repository (in this example — GitLab), it shows all the available projects subject to security check, which can be enabled or disabled, as you can see below:

Once a particular repository is enabled, the security check will be performed continuously. If no security issues are found, the outcome of the scan looks as follows:

Reporting

When GuardRails identifies vulnerabilities, a report is produced as a PR comment, which looks like this:

The PR comment above can be explained in the following screenshot, obtained from the GuardRails user manual:

GuardRails, as per information that is provided on its website, performs 3 distinct vulnerability scanning techniques

  1. Detection of Vulnerabilities in the source code
  2. Open Source Library analysis
  3. Secret detection

The first one includes:

  • Insecure Use of SQL Queries
  • Insecure Use of Dangerous Functions
  • Insecure Use of Regular Expressions
  • Insecure Authentication
  • Insecure Access Control
  • Insecure Configuration
  • Insecure File Management
  • Insecure Use of Crypto
  • Insecure Use of Language/Framework API
  • Insecure Processing of Data
  • Insecure Network Communication

The dependency analysis relies on publicly available records on the commonly known vulnerabilities in the current dependency tree. By default, the report contains only high severity issues.

Secret detection issues includes private keys, high entropy strings and basic authentication strings.

Mad Devs As Extended Team

As we at Mad Devs live and breathe automation and optimization, GuardRails was one of the most desired projects for our team to work on. Creation of powerful tools for developers means gaining more trust and respect in the community, so when we started to collaborate with Stefan, our entire team was excited about the many cool things we could implement together. The project team looked like this in terms of headcount:

We also collaborate with the GuardRails Machine Learning team, that aims to reduce false positives within the detected vulnerabilities.

We continue to work closely with the GuardRails team as their outsourced skill extension, always ready to help with support tickets, feature requests and project roadmap implementation. We do development tasks, assist with code refactoring and database optimizations, as well as interact with the entire GitHub ecosystem.

Thanks to the contribution made by Mad Devs, GuardRails has significantly improved their user experience as we managed to reduce the database response time from 2 seconds to 30 milliseconds for the most common requests. Previously users had to wait longer for their accounts and repositories to become available, and after we applied data structuring and indexing, the database started to work faster.

Hundreds of Active Customers

GuardRails has 800+ software development teams using it officially on GitHub and is rapidly gaining popularity on GitLab. The number of enterprise customers is also steadily increasing, especially since the release of an on-premise version of GuardRails. In just 2 years since its launch the project became 40% self-funded and got 1 million SGD (~750K USD) as a seed investment from Cocoon Capital, a Singapore-based early-stage venture capital firm.

What’s next?

We at Mad Devs also work closely with the Guardrails Machine Learning team to help the project achieve its long-term goals. The first priority is on reducing the percentage of false positives and improve the quality of security vulnerability detection. This competitive advantage will hopefully boost Guardrails’ adoption rate which can potentially achieve 600,000 organizations, according to the company’s internal market research.

Mad Devs Services.
Mad Devs Services.

Mad Devs — блог об IT

Engineering your growth. Mad Devs is the team behind large scalable projects, globally.

Mad Devs — блог об IT

Mad Devs is a Cambridge-headquartered IT company developing enterprise-level software solutions for finance, transportation & logistics, security, edtech, and advertising industries. For more information about us, please browse our website: https://maddevs.io/

Anastasia ‘Stacy’ Rostova (Raspopina)

Written by

Charismarketer, Event Junkie, Russian Poet, World Traveler

Mad Devs — блог об IT

Mad Devs is a Cambridge-headquartered IT company developing enterprise-level software solutions for finance, transportation & logistics, security, edtech, and advertising industries. For more information about us, please browse our website: https://maddevs.io/

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store