Skip to content

Consider moving of security:check documentation #4745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
xelaris opened this issue Jan 3, 2015 · 8 comments
Closed

Consider moving of security:check documentation #4745

xelaris opened this issue Jan 3, 2015 · 8 comments

Comments

@xelaris
Copy link
Contributor

xelaris commented Jan 3, 2015

While reading the rewritten security chapter I came across https://github.com/symfony/symfony-docs/blob/2.3/book/security.rst#checking-for-known-security-vulnerabilities-in-dependencies

IMO this part should be moved somewhere else (however I don't know where yet), since there is thematically no analogy to the rest of the chapter. Everything is about Symfony's security system as the first three words are telling, but this is about security vulnerabilities in dependencies.
@xelaris
Copy link
Contributor Author

xelaris commented Jan 3, 2015

In addition... #4651 was merged in 2.3 but should be 2.5 as mentioned in #4651 (comment)
So I suppose it should not only moved to another place but also to another branch.

@xabbuh
Copy link
Member

xabbuh commented Jan 3, 2015

@xelaris Can you create a pull request reverting the change in the 2.3 branch?

@xelaris
Copy link
Contributor Author

xelaris commented Jan 3, 2015

@xabbuh done #4746

@xelaris xelaris mentioned this issue Jan 4, 2015
Merged
@weaverryan
Copy link
Member

Hey @xelaris! This is really great of you to catch - the whole point of rewriting the security chapter was to be more relevant, and remove things like this from it.

So you're right - the question is, what's the right place for this? Perhaps we need a new cookbook entry about actually "securing" your Symfony app, for example:

  • This paragraph about checking vendor security
  • Use a good password encoder (e.g. bcrypt)
  • Make sure csrf tokens are on
  • Use https
  • Use access_control OR make sure that you audit every controller to see that it's checking for whatever security you need
  • Ensuring that no *_dev.php controllers are being deployed
  • Not using 777 permissions on cache/logs (especially on a shared server, or understanding at least what it means if these are 777).

... and probably more! That's a little bit more of an undertaking, but maybe something that would be good in this day and age of security?

@stof
Copy link
Member

stof commented Jan 16, 2015

We could even recommend https://github.com/Roave/SecurityAdvisories to handle security issues in your deps (it forbids composer to select them in a composer update, with the same database than the security:check command)

@wouterj
Copy link
Member

wouterj commented May 3, 2015

@weaverryan what about a new best practices chapter about Securing your application? (not to be mixed with Security)

@weaverryan
Copy link
Member

I think that's a very cool idea - makes sense as a cookbook article to me, and I think it could be a very useful reference section on what you should be doing.

@javiereguiluz
Copy link
Member

Closing it as "fixed" because the security checker now has its own article: http://symfony.com/doc/current/security/security_checker.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@javiereguiluz @weaverryan @stof @wouterj @xabbuh @xelaris