Configure a Ruby agent with Contrast in 5 minutes | Ruby Security Monitoring | Contrast Safety
Ali Tajiki, Senior Product Manager, Contrast Security
Ali is a problem-solving servant leader who enjoys his free time with mixed martial arts, weightlifting, video games, and family/friends. Growing up in the Bay Area, he saw the impact of technology and wanted to be involved in the disruption. He studied electrical engineering at UCLA and then went to work at Symantec as a software engineer with Security Technology and Response (STAR). After earning his MBA and helping launch NBC’s Peacock streaming, he joined Contrast to help transform our platform into the next category-defining product.
Subscribe to the Contrast blog
By subscribing to our blog, you’ll stay up to date with all the latest appsec news and devops best practices. You’ll also hear about the latest Contrast product news and exciting application security events.
A agent is a contrast tool for application monitoring. Agents monitor, log security data and application status. They analyze the collected data, report it and then forward it to Contrast.
This data contains information about an application’s security vulnerabilities. When able to mitigate a security threat, officers can prevent or stop the threat using sensors. A sensor is a security instrumentation technique used to collect security data from officers.
Contrast provides agents for various languages, including Ruby. Ruby agent is compatible with web frameworks like Rubies on rails, Grape seed and Sinatra. With this agent configured in your web application, you are guaranteed to analyze the security of your web application without having to configure the tests in your development lifecycle.
In this article, we’ll see how you can configure a Ruby agent for your application.
Before getting into the instructions, we encourage you to have the following items ready:
- Ruby version 2.5 or higher installed on your machine. Even if you’ve never used Ruby, if you’re using Linux, chances are it’s already installed. Check if it is installed with the following terminal command: ruby -v
- A basic understanding of Ruby is useful for understanding concepts like gems, gem files, and bundlers, which we briefly cover but aren’t entirely necessary.
- autoconf installed on your system. This is a package under the m4 macro language processor. It is used by the Ruby agent when running. Follow the instructions for install it on macOS and the Windows. autoconf is pre-installed in most Linux distributions. On Linux, you can check if it is installed using this command: autoconf –version
- Compare corporate account credentials, including username and service key. Credentials are not required if you are only looking to configure a Ruby agent for possible future use or reference.
Configuring the Ruby Agent
In your working folder, open your Gemfile and paste the following:
# the pearl of contrast agents
‘contrast agent’ jewel
Run this command in your terminal to install the Contrast agent:
Configuring the Contrast Ruby Agent
The Contrast Ruby agent requires several configuration parameters, which you can pass by setting environment variables or with a configuration YAML file. YAML files are essential because they can be used to store essential credentials, such as your Contrast Security username and application programming interface (API) key.
Note the order of precedence and where you can put your YAML file before you consider using them.
The YAML file is essential, because we use it to derive what we can use in environment variables and command line arguments. Take, for example, the configuration of the logger agent. We can use these lines in the YAML file:
For environment variables, capitalize each letter and replace the period with a double underscore:
At a bare minimum, this is what your YAML file should look like:
As noted in the Documentation, the YAML file must be named contrast_security.yaml. Place the file in the working directory for simple Ruby applications or in your framework’s configuration location. For example, when using the Ruby on Rails framework, you place it in the ./config folder. You can choose where you place it as long as you define its location in the environment file using the CONTRAST_CONFIG_PATH variable.
You can use the Contrast Agent Configuration Editor to validate your YAML configuration. This editor checks for correct YAML syntax. Note that it is currently in beta.
First, import the agent using the require statement for all frameworks:
requires a “contrast agent”
Since the agent functions as a Railtie, you don’t have to configure anything for Ruby on Rails. For other Rack-based frameworks like Grape and Sinatra, this line inside your class configures the agent:
use Contrast::Agent::Middleware, true
We have just gone through the basic but vital steps of setting up a Contrast Ruby agent.
It’s easy to get started with Contrast’s secure monitoring features with these agents. Check Contrast to learn more about its security capabilities and what it can do for your product. Also see Contrast Security support for Ruby Agent here.