At the beginning of each month, we carry out a brief, high-level security inspection. The purpose is to be a sanity check for head-slapping, trivial vulnerabilities that no one expected would be in the code but somehow managed to creep in anyway.
One of @alice, @bob or @charlie should do the inspection if no one else has the time.
We should do an inspection at the beginning of every calendar month.
- Check Riding Rails for new Rails releases. Upgrade or patch if there are any new vulnerabilities.
- Upgrade (important!) and run
brakeman
on the codebase. Investigate and fix any issues it raises. - Grep for
html_safe
. Fix any XSS vulnerabilities it might cause. - Grep for
permit
. Check for & fix any resulting mass-assignment vulnerabilities. - Spend a 15 minute timebox on checking code introduced since the last inspection for obvious security flaws.
- Update this file with your name, the date and anything you had to fix in the inspection.
- Fixed XSS vuln introduced thanks to stray
html_safe
call. - Fixed SQLi vuln caused by unparameterized where clause.
- Nothing to report.
- Updated Rails to 4.7.23 in light of facesmash vulnerability