At the beginning of each month, we carry out a brief, high-level security inspection. The purpose is to be a sanity check for head-slapping, trivial vulnerabilities that no one expected would be in the code but somehow managed to creep in anyway.
One of @alice, @bob or @charlie should do the inspection if no one else has the time.
We should do an inspection at the beginning of every calendar month.
How to do an inspection
- Check Riding Rails for new Rails releases. Upgrade or patch if there are any new vulnerabilities.
- Upgrade (important!) and run
brakemanon the codebase. Investigate and fix any issues it raises.
- Grep for
html_safe. Fix any XSS vulnerabilities it might cause.
- Grep for
permit. Check for & fix any resulting mass-assignment vulnerabilities.
- Spend a 15 minute timebox on checking code introduced since the last inspection for obvious security flaws.
- Update this file with your name, the date and anything you had to fix in the inspection.
5th October 2014 - @alice
- Fixed XSS vuln introduced thanks to stray
- Fixed SQLi vuln caused by unparameterized where clause.
2nd September 2014 - @charlie
- Nothing to report.
3rd August 2014 - @bob
- Updated Rails to 4.7.23 in light of facesmash vulnerability