How to install Arachni on Mac OS X Lion

Since I am now hairless after installing Arachni on OS X, I’ll hopefully save someone else the same ordeal. Various problems with the OS X toolchain not playing nice with the latest Ruby, then nokogiri causing a segfault because of using an old version of libxml2… etc.
Anyway, finally got a working version as follows:

1. Install GCC for Lion: https://github.com/kennethreitz/osx-gcc-installer/downloads
2. Edit ~/.bash_profile and add:
export CC=gcc-4.2
export CXX=g++-4.2
3. Install RVM as per these instructions, remember to make the change to ~/.bash_profile as mentioned on the page and the reload the shell.
4. Install Homebrew
5. Install libxml2 and libxslt:
   brew install libxml2 libxslt
6. Link the newly installed libraries:
   brew link libxml2 libxslt
7. Install the nokogiri gem: gem install nokogiri once installed, run:
   nokogiri -v and check that it’s linked to the version of libxml2 you just installed.
8. Install Arachni:
   gem install arachni
9. Marvel at the lack of segfaults

ORM validation

@EoinKeary got me thinking about data validation again, in particular the security implications of relying on data val in the ORM tier when numerous attacks can be performed on the presentation and middle tiers before hitting ORM. I still prefer the approach of only defining data validation rules in one place, and that place should be as close to the data as possible – so hibernate or JPA annotations make a lot of sense.

So how do you validate data for the tiers further up the stack?

Defining data validation rules in two places violates the DRY principal and is going to be error prone. Furthermore, it makes the code less modular because you’d need to redefine the data val rules every time you add another interface to the application.

A number of web frameworks provide a more elegant solution: Define the data validation rules in the model objects (ORM tier), but validate them whenever you like, e.g. in the web tier when first performing data binding. Some examples:

JBoss Seam: http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html/validation.html
Grails: http://www.grails.org/doc/latest/guide/validation.html

• 
  

• About

  Secure and robust software doesn’t have to be an utopian ideal. By treating security as a first class business requirement during the initial design, implementation and testing phases, software can be secure by default.

• Recently Written

  • How to install Arachni on Mac OS X Lion
  • ORM validation
  • HTTP Fingerprinting tool
  • Security Gap Analysis of Struts2
  • PCI scoring contradiction
  • Digg like security news site
  • Seam Remoting’s default allow
  • Integrating security into QA testing
  • Security Testing with Watij
  • Defining security requirements

• Categories

  • Design
  • frameworks
  • News
  • Testing
  • Uncategorized

• Archives

  • January 2012
  • November 2009
  • May 2009
  • April 2009
  • September 2008
  • February 2008
  • January 2008

• Blogroll

  • Adam Boulton’s blog
  • Build Security In
  • Corsaire
  • OWASP
  • Security Pundit
  • Test Driven

• Admin

  • Register
  • Log in