Static analysis in dynamic languages is a well known difficult problem in computer science, with a great deal of emphasis being put on type inference. The problem is so difficult that Holkner and Harland's paper on static analysis in Python opens immediately with, "The Python programming language is typical among dynamic languages in that programs written in it are not susceptible to static analysis." Dynamic languages such as Ruby provide impressive programming power thanks to expressive language constructs and flexible typing. Ruby, in particular, is strongly leveraged in the web development ecosystems thanks to well known and supported frameworks such as Ruby on Rails and Sinatra. Web application security is a particularly difficult area for a number of reasons including, the low-barrier to entry for new developers combined with the high-demand for their services, the increasing complexity of the web-based ecosystem, and the traditional languages and frameworks for web-development not adopting a strong defensive stance as their default. Ruby on Rails adopts the "convention over configuration" policy aimed at aiding developers of all levels in building robust web applications with a minimum of configuration. The goal is for the framework to simply "do the right thing" by default, and more sophisticated features and technologies are to be explicitly applied by develop- ers with those more advanced requirements and understanding. Much of the power in the Ruby on Rails framework stems from careful use of "magic" functions: dynamically generated functions using Ruby's powerful metaprogramming structures. As a side effect, many of the methods called by developers are not available to a static analysis tool by simply examining the code on disk. We are able to leverage the consistency of the language and framework to perform static analysis on Ruby on Rails applications, and reason about their attack surface. This is done by analyzing the abstract syntax tree, and sometimes the configuration (generally simply library versions) of the program itself and by comparing it to a pre-compiled library of known security issues exposed by the Ruby on Rails framework.