We assessed commit #abcd134

Describe some stuff.

Recommend some stuff.

Describe some stuff.

Recommend some stuff.

• What does it do? (business purpose)
• Who does it do this for? (internal / external customer base)
• What kind of information will it hold?
• What are the different types of roles?
• What aspects concern your client/customer/staff the most?

• Framework & Language - Rails/Ruby, Django/Python, mux/Golang
• 3rd party components, Examples:
  • Building libraries (rubygem, npm, jar, etc.)
  • JavaScript widgets - (marketing tracking, sales chat widget)
  • Reliant upon other applications - such as receiving webhook events
• Datastore - Postgresql, MySQL, Memcache, Redis, Mongodb, etc.

• Here is what the feature or product is supposed to do... what might go wrong?
• Okay - based on the tech stack, I've realized that the:
  • ORM - Does SQLi in this way
  • Template language introduces XSS in this way

• Look for instances of | safe in the template/views
• Look for OS commands
• Look at the ORM for instances of createNativeQuery()
• Developer expected x but I think we should try to see if y is possible

• Login page give error messages, check for enumeration
• Signup page allows for freeform passwords, does it implement proper password complexity?

• Uses @login_required decorator, is it applied on all endpoints appropriately?

• Logging configuration is in settings.py, check documentation for secure settings

• ORM where function allows for string concatenation, search for all instances

• References to base64 when handling passwords, is this bad?

• Code is ruby/rails, make sure and run brakeman before closing out

• GET /lulz LulzController.java
• POST /admin/rofl AdminRoflController.java

• ensure_logged_in

• /path/to/some/important/file.sh