← Back to changelog

Improved: Security Monitor checks -- October 2013

A couple weeks ago, we rolled out improvements to Security Monitor including some news checks. Here’s a summary of the changes:

Additional Checks

Security Monitor now checks for:

  • Unilaterally whitelisting an attribute named admin, role, banned, account_id, or any foreign key (via attr_accessible)
  • Including hard coded passwords for certain forms of HTTP Basic Authentication support
  • Additional avenues to shell command injection. Methods in Open3, and POSIX::Spawn for example will now be checked to ensure they are being called in a safe way.

Removed Duplicate Warnings

  • Some Cross-Site Scripting (XSS) vulnerabilities were generating both high and low confidence warnings – they now only report as high confidence.

More Supported Syntax

  • We can now parse, for the purposes of security scans, Ruby 2.0-specific syntax (such as keywords arguments).
  • Slim 2.0 syntax is now supported
Actionable metrics for engineering leaders. Try Velocity Free