Rails and web security reading list ? #24
New Rails 5.1 came out recently
It includes encrypted secrets and supports JS package mangers for easier updates. That’s important too because of JS vulnerabilities.
New version for authorization framework CanCanCan
Check and update your SSH keys with this easy command
Which security implications of the Serverless approach are better or worse?
And another post about serverless security issues
Replacing Disqus with Github Comments for less load time and far less tracking
Don’t repeat these 2FA design mistakes
Another Rails security checklist with a few bits
CloudFlare introduced TLS client-side authorization
Check your nginx config for security issues
Security Updates
PostgreSQL security update
Rails and web security digest ⚡ #23
CodeBuild, Brakeman, and CodePipeline
How to set up AWS CodeBuild (a CI server) to run brakeman
Login/logout CSRF: Time to reconsider?
Login/logout CSRF: Time to make them non-GET routes (you probably have already)
Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think
Content-Security-Policy Hackerone bypass
Check the popularity, maintenance and maturity of gems before using
Validation, Database Constraint, or Both?
Vulnerabilities
Update jQuery UI to 1.12.0
Rails and web application security ? Sunday #22
Used to Rails’ security? Check your plain Ruby code using Net::HTTP
Web application and Rails security reading list #21
A short story about how encryption can go very wrong with a (Ruby) workflow we’re all guilty of using.
The ongoing Content-Security-Policy journey at Github.
This time focusing on images and dangling markup. That’s when an attacker injects an <img> tag without closing it to extract the HTML of the rest of the page.
A new two-factor authentication lockout recovery process at Github: Using Facebook
The HTTPS-traffic via Firefox is now over 50% for the first time
There are now „Not Secure“ warnings for insecure pages with password and credit card input fields in Chrome and Firefox 51.
Mozilla’s coding and security checklist for their services
Ransom attacks turn to web apps, check your MongoDB, Elasticsearch, Redis, Cassandra, Hadoop
Rails security reading list, vulnerabilities and browser news (? edition)
Welcome! Also in 2017 we want to find the right mix of security information, vulnerabilities in Rails’ friends and browser news. Let’s see what was interesting this week:
Several ‘exotic’ security HTTP headers tested
Invisible Captcha: Spam protection gem
Another Rails security checklist
CSRF vulnerability in rails_admin gem
Tool to detect TLS/SSL vulnerabilities and versions
Version handling differences between RubyGems and npm
New Content-Security-Policy (CSP) directive require-sri-for coming to Chrome
Important security updates
There were also several memory problems in the versions before.
(Rails) security reading list and updates #19
Distrusting New WoSign and StartCom Certificates
Email Security – SPF
Protecting from XSS with Rails’ sanitize()
Rails API – throttling with Rack::Attack
How to quickly audit a Linux system from the command line
Be afraid of HTTP Public Key Pinning (HPKP)
Enforcing content security by default within Firefox
Observatory by Mozilla
Important security updates
[Gitlab] There were several important security update in the past for Gitlab.
[Mysql] Several critical security updates in a massive “Oracle Critical Patch Update Advisory”
[Memcached] Very critical vulnerabilities that allow for remote code execution
? Rails security update #18
Exploiting CORS Misconfigurations for Bitcoins and Bounties
Is Your Site Leaking Password Reset Links?
Referer
header. Fix this on your site if you care about a second layer of defense.CSP Mitigator
Rails and web security digest #17
Since Let’s Encrypt started, the adaption of HTTPS picked up speed. In Firefox the percentage of HTTPS page loads is now at 42%. Browsers also campaign for it. More & more of them mark forms with sensitive information as insecure. More about this in today’s interesting security news:
Ruby method and class injection
Is HTTP Public Key Pinning dead?
Storing Passwords in a Highly Parallelized World
Authorization with Pundit
Reshaping web defenses with strict Content Security Policy
Is your database affected by CVE-2016-6662?
Two Factor Authentication
Moving towards a more secure web
Ruby on Rails web security digest #16
It feels like after summer, the amount of security news increases again. Yes, also on the Rails security project, a few new articles about other forms of injection. Oh and here interesting reads from elsewhere: