You can monitor application security for Ruby apps running in Docker, Kubernetes, Amazon ECS, and AWS Fargate.

Prerequisites

• The Datadog Agent is installed and configured for your application’s operating system or container, cloud, or virtual environment.
• If your service is running with an Agent with Remote Configuration enabled and a tracing library version that supports it, you can block attackers from the Datadog UI without additional configuration of the Agent or tracing libraries.

Enabling Application & API Protection

Get started

1. Update your Gemfile to include the Datadog library:

   gem 'datadog', '~> 2.0' # Use 'ddtrace' if you're using v1.x
   

   To check that your service’s language and framework versions are supported for Application & API Protection capabilities, see Compatibility.

   For more information about upgrading to v2 from a dd-trace 1.x version, see the Ruby tracer upgrade guide.

2. Enable Application & API Protection by enabling the APM tracer. The following options describe a quick setup that covers the most common cases. Read the Ruby tracer documentation for more details.

   You can enable Application & API Protection either in your code:

   Enable the APM tracer by adding an initializer in your application code:

   # config/initializers/datadog.rb
   
   require 'datadog/appsec'
   
   Datadog.configure do |c|
     # enable the APM tracer but disable trace processing - for security-only use
     c.tracing.instrument :rails
     c.tracing.enabled = false
   
     # enable Application & API Protection
     c.appsec.enabled = true
     c.appsec.instrument :rails
   end
   

   Or enable the APM tracer through auto-instrumentation by updating your Gemfile to auto-instrument:

   gem 'datadog', '~> 2.0', require: 'datadog/auto_instrument'
   

   And also enable appsec and disable tracing:

   # config/initializers/datadog.rb
   
   require 'datadog/appsec'
   
   Datadog.configure do |c|
     # the APM tracer is enabled by auto-instrumentation
     c.tracing.enabled = false
   
     # enable Application & API Protection
     c.appsec.enabled = true
     c.appsec.instrument :rails
   end
   

   Enable the APM tracer by adding the following to your application’s startup:

   require 'sinatra'
   require 'datadog'
   require 'datadog/appsec'
   
   Datadog.configure do |c|
     # enable the APM tracer but disable trace processing - for security-only use
     c.tracing.instrument :sinatra
     c.tracing.enabled = false
   
     # enable Application & API Protection for Sinatra
     c.appsec.enabled = true
     c.appsec.instrument :sinatra
   end
   

   Or enable the APM tracer through auto-instrumentation:

   require 'sinatra'
   require 'datadog/auto_instrument'
   
   Datadog.configure do |c|
     # the APM tracer is enabled by auto-instrumentation
     c.tracing.enabled = false
   
     # enable Application & API Protection for Sinatra
     c.appsec.enabled = true
     c.appsec.instrument :sinatra
   end
   

   Enable the APM tracer by adding the following to your config.ru file:

   require 'datadog'
   require 'datadog/appsec'
   
   Datadog.configure do |c|
     # enable the APM tracer but disable trace processing - for security-only use
     c.tracing.instrument :rack
     c.tracing.enabled = false
   
     # enable Application & API Protection for Rack
     c.appsec.enabled = true
     c.appsec.instrument :rack
   end
   
   use Datadog::Tracing::Contrib::Rack::TraceMiddleware
   use Datadog::AppSec::Contrib::Rack::RequestMiddleware
   

   Or one of the following methods, depending on where your application runs:

   Update your configuration container for APM by adding the following arguments in your docker run command:

   docker run [...] -e DD_APPSEC_ENABLED=true -e DD_APM_TRACING_ENABLED=false [...]
   

   Add the following environment variable values to your container Dockerfile:

   ENV DD_APPSEC_ENABLED=true
   ENV DD_APM_TRACING_ENABLED=false
   

   Update your configuration yaml file container for APM and add the environment variables:

   spec:
     template:
       spec:
         containers:
           - name: <CONTAINER_NAME>
             image: <CONTAINER_IMAGE>/<TAG>
             env:
               - name: DD_APPSEC_ENABLED
                 value: "true"
               - name: DD_APM_TRACING_ENABLED
                 value: "false"
   

   Update your ECS task definition JSON file, by adding these in the environment section:

   "environment": [
     ...,
     {
       "name": "DD_APPSEC_ENABLED",
       "value": "true"
     },
     {
       "name": "DD_APM_TRACING_ENABLED",
       "value": "false"
     }
   ]
   

   Initialize Application & API Protection in your code or set the environment variables in your service invocation:

   env DD_APPSEC_ENABLED=true DD_APM_TRACING_ENABLED=false rails server
   

   The library collects security data from your application and sends it to the Agent, which sends it to Datadog, where out-of-the-box detection rules flag attacker techniques and potential misconfigurations so you can take steps to remediate.

3. To see App and API Protection threat detection in action, send known attack patterns to your application. For example, trigger the Security Scanner Detected rule by running a file that contains the following curl script:

   for ((i=1;i<=250;i++)); 
   do
   # Target existing service’s routes
   curl https://your-application-url/existing-route -A dd-test-scanner-log;
   # Target non existing service’s routes
   curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
   done

   Note: The dd-test-scanner-log value is supported in the most recent releases.

   A few minutes after you enable your application and exercise it, threat information appears in the Application Trace and Signals Explorer in Datadog.

Further Reading

Additional helpful documentation, links, and articles:

Adding user information to tracesDOCUMENTATION Ruby Datadog library source codeSOURCE CODE OOTB App & API Protection RulesDOCUMENTATION Troubleshooting App & API ProtectionDOCUMENTATION