Improved: Security Monitor checks -- October 2013
A couple weeks ago, we rolled out improvements to Security Monitor including some news checks. Here’s a summary of the changes:
Additional Checks
Security Monitor now checks for:
- Unilaterally whitelisting an attribute named
admin
,role
,banned
,account_id
, or any foreign key (viaattr_accessible
) - Including hard coded passwords for certain forms of HTTP Basic Authentication support
- Additional avenues to shell command injection. Methods in
Open3
, andPOSIX::Spawn
for example will now be checked to ensure they are being called in a safe way.
Removed Duplicate Warnings
- Some Cross-Site Scripting (XSS) vulnerabilities were generating both high and low confidence warnings – they now only report as high confidence.
More Supported Syntax
- We can now parse, for the purposes of security scans, Ruby 2.0-specific syntax (such as keywords arguments).
- Slim 2.0 syntax is now supported