Insecure Network Communication

Why is this important?

Ensuring that the data in transit is secured between users and your application is the most fundamental security requirement. If this security control is not in place then all bets are off and attackers have many ways to attack your users.

Check out this video for a high-level explanation:

Fixing Insecure Network Communication

Option A: Properly Set SSL Verification

Go through the issues that GuardRails identified in the PR.
Replace OpenSSL::SSL::VERIFY_NONE:

  http.verify_mode = OpenSSL::SSL::VERIFY_NONE

with OpenSSL::SSL::VERIFY_PEER:

  # Ensure that you have a valid certificate, otherwise this will raise
  # an OpenSSL::SSL::SSLError.
  # get free certificates at https://letsencrypt.org/
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER

Test it
Ship it 🚢 and relax 🌴

Option B: Use secure source URLs

Go through the issues that GuardRails identified in the PR.
Replace instances of source :XXXXXX:

  source :rubygems

with the explicit secure URL like

  source 'https://rubygems.org'

Test it
Ship it 🚢 and relax 🌴

More information:

Brakeman - SSL Verification Bypass
OWASP Top 10 - A3-Sensitive Data Exposure
Common Weakness Enumeration (CWE-295)
Let's Encrypt - Free SSL/TLS Certificates
Gemfile - insecure source usage

GuardRails

General

Apex

C/C++

Dotnet

Elixir

Go

Java

Javascript/TypeScript

Kubernetes

PHP

Python

Ruby

Rust

Solidity

Terraform