Skip to content

Instantly share code, notes, and snippets.

@Najaf

Najaf/SECURITY.md

Last active Sep 10, 2015
Embed
What would you like to do?

Security inspections

At the beginning of each month, we carry out a brief, high-level security inspection. The purpose is to be a sanity check for head-slapping, trivial vulnerabilities that no one expected would be in the code but somehow managed to creep in anyway.

Who's responsible?

One of @alice, @bob or @charlie should do the inspection if no one else has the time.

How often?

We should do an inspection at the beginning of every calendar month.

How to do an inspection

  1. Check Riding Rails for new Rails releases. Upgrade or patch if there are any new vulnerabilities.
  2. Upgrade (important!) and run brakeman on the codebase. Investigate and fix any issues it raises.
  3. Grep for html_safe. Fix any XSS vulnerabilities it might cause.
  4. Grep for permit. Check for & fix any resulting mass-assignment vulnerabilities.
  5. Spend a 15 minute timebox on checking code introduced since the last inspection for obvious security flaws.
  6. Update this file with your name, the date and anything you had to fix in the inspection.

Past inspections

5th October 2014 - @alice

  • Fixed XSS vuln introduced thanks to stray html_safe call.
  • Fixed SQLi vuln caused by unparameterized where clause.

2nd September 2014 - @charlie

  • Nothing to report.

3rd August 2014 - @bob

  • Updated Rails to 4.7.23 in light of facesmash vulnerability
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment