GuardRails Helps 800+ Development Teams to Establish DevSecOps with Automated Security Reviews
Making security checks an integral part of the software development process is a much better and cost-effective solution compared to testing the security when your development team is almost done with the project. This is exactly where GuardRails comes in, offering automated vulnerability scanning for code as part of a standard development process that is built in accordance with DevOps approach.
Person Behind the Scenes
Founded 2 years ago by a seasoned security industry professional Stefan Streichsbier, GuardRails gained a reputation of a trusted product very fast. It is now used by SMEs, large enterprises and government-backed teams creating applications and services for entire countries.
Supported Programming Languages
Currently, GuardRails supports scanning of 9 programming languages, and the team is adding more of them continuously:
- Python,
- Ruby,
- JavaScript,
- Go,
- Solidity,
- Java,
- Elixir,
- C/C++
How does GuardRails work?
Initially, GuardRails worked with GitHub only, but support for GitLab has been added to meet the needs of large enterprises. Support for BitBucket is coming soon. For the typical developer, the process looks as follows:
GuardRails uses open source tools and libraries to check dependencies and detect security issues and vulnerabilities.
GuardRails is currently available both as GitHub application and GitLab integration.
Technology Under the Hood
Working on GuardRails as a third-party contractor, we work with JavaScript as the main programming language. End-to-end integration tests are written in Ruby. For backend development we rely on Node.JS. The frontend for the GuardRails website and the dashboard are written in React. In addition to this, we leverage Docker containers managed by the Docker swarm orchestration system, PostgreSQL as a DBMS, and RabbitMQ as a message broker. GuardRails is now running on Amazon AWS, though previously we used Amazon Lambda as an event-driven serverless platform. For security purposes, endpoints that are used for GitHub and AWS connections are encrypted in transit via TLS. We store the source code from repositories only temporarily during the scanning process. Once it’s scanned, GuardRails removes it entirely and securely.
The Dashboard
After the GuardRails app is linked to the repository (in this example — GitLab), it shows all the available projects subject to security check, which can be enabled or disabled, as you can see below:
Once a particular repository is enabled, the security check will be performed continuously. If no security issues are found, the outcome of the scan looks as follows:
Reporting
When GuardRails identifies vulnerabilities, a report is produced as a PR comment, which looks like this:
The PR comment above can be explained in the following screenshot, obtained from the GuardRails user manual:
GuardRails, as per information that is provided on its website, performs 3 distinct vulnerability scanning techniques
- Detection of Vulnerabilities in the source code
- Open Source Library analysis
- Secret detection
The first one includes:
- Insecure Use of SQL Queries
- Insecure Use of Dangerous Functions
- Insecure Use of Regular Expressions
- Insecure Authentication
- Insecure Access Control
- Insecure Configuration
- Insecure File Management
- Insecure Use of Crypto
- Insecure Use of Language/Framework API
- Insecure Processing of Data
- Insecure Network Communication
The dependency analysis relies on publicly available records on the commonly known vulnerabilities in the current dependency tree. By default, the report contains only high severity issues.
Secret detection issues includes private keys, high entropy strings and basic authentication strings.
Mad Devs As Extended Team
As we at Mad Devs live and breathe automation and optimization, GuardRails was one of the most desired projects for our team to work on. Creation of powerful tools for developers means gaining more trust and respect in the community, so when we started to collaborate with Stefan, our entire team was excited about the many cool things we could implement together. The project team looked like this in terms of headcount:
We also collaborate with the GuardRails Machine Learning team, that aims to reduce false positives within the detected vulnerabilities.
We continue to work closely with the GuardRails team as their outsourced skill extension, always ready to help with support tickets, feature requests and project roadmap implementation. We do development tasks, assist with code refactoring and database optimizations, as well as interact with the entire GitHub ecosystem.
Thanks to the contribution made by Mad Devs, GuardRails has significantly improved their user experience as we managed to reduce the database response time from 2 seconds to 30 milliseconds for the most common requests. Previously users had to wait longer for their accounts and repositories to become available, and after we applied data structuring and indexing, the database started to work faster.
Hundreds of Active Customers
GuardRails has 800+ software development teams using it officially on GitHub and is rapidly gaining popularity on GitLab. The number of enterprise customers is also steadily increasing, especially since the release of an on-premise version of GuardRails. In just 2 years since its launch the project became 40% self-funded and got 1 million SGD (~750K USD) as a seed investment from Cocoon Capital, a Singapore-based early-stage venture capital firm.
What’s next?
We at Mad Devs also work closely with the Guardrails Machine Learning team to help the project achieve its long-term goals. The first priority is on reducing the percentage of false positives and improve the quality of security vulnerability detection. This competitive advantage will hopefully boost Guardrails’ adoption rate which can potentially achieve 600,000 organizations, according to the company’s internal market research.
