-
Notifications
You must be signed in to change notification settings - Fork 27
Conductor_Audit_and_Update
movitto edited this page Jan 14, 2013
·
2 revisions
Integrating best practices gem in and starting to automate the verification of our application
Allocating the controllers & models for the next round of security work
Updating the remaining controllers based on the audit: settings, deployments, roles, realms, deployables, target/provider images )
Updating the remaining model classes based on the audit
Ensure user data & session is properly encrypted over https
Add functionality to Conductor:
- create a pool family user role and new pool family when a new user is created
- reset and expire the session, http://guides.rubyonrails.org/security.html#session-fixation
- protect against csrf forgery - http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
- add a catch all method to routes, handling non-existing routes explicitly (currently there is a patch for this but it breaks functionality)
Diff the codebase between the version audited and the current HEAD and audit the changes
- self-service / registration (? not necessarily needed as we can require authorization / manual signups)
Back to Hardening_the_app