Improved: Security Monitor checks -- October 2013
A couple weeks ago, we rolled out improvements to Security Monitor including some news checks. Here's a summary of the changes:
Security Monitor now checks for:
- Unilaterally whitelisting an attribute named
account_id, or any foreign key (via
- Including hard coded passwords for certain forms of HTTP Basic Authentication support
- Additional avenues to shell command injection. Methods in
POSIX::Spawnfor example will now be checked to ensure they are being called in a safe way.
Removed Duplicate Warnings
- Some Cross-Site Scripting (XSS) vulnerabilities were generating both high and low confidence warnings -- they now only report as high confidence.
More Supported Syntax
- We can now parse, for the purposes of security scans, Ruby 2.0-specific syntax (such as keywords arguments).
- Slim 2.0 syntax is now supported