Improved: Security Monitor checks -- October 2013

A couple weeks ago, we rolled out improvements to Security Monitor including some news checks. Here’s a summary of the changes:

Additional Checks

Security Monitor now checks for:

• Unilaterally whitelisting an attribute named admin, role, banned, account_id, or any foreign key (via attr_accessible)
• Including hard coded passwords for certain forms of HTTP Basic Authentication support
• Additional avenues to shell command injection. Methods in Open3, and POSIX::Spawn for example will now be checked to ensure they are being called in a safe way.

Removed Duplicate Warnings

• Some Cross-Site Scripting (XSS) vulnerabilities were generating both high and low confidence warnings – they now only report as high confidence.

More Supported Syntax

• We can now parse, for the purposes of security scans, Ruby 2.0-specific syntax (such as keywords arguments).
• Slim 2.0 syntax is now supported