Insecure Network Communication
Why is this important?โ
Ensuring that the data in transit is secured between users and your application is the most fundamental security requirement. If this security control is not in place then all bets are off and attackers have many ways to attack your users.
Check out this video for a high-level explanation:
Fixing Insecure Network Communicationโ
Option A: Don't use insecure protocolsโ
- Go through the issues that GuardRails identified in the PR
- Identify affected lines contain a reference to FTP, or Telnet
- Either remove the logic that relies on them, or alternatively replace them with secure alternatives such as SSH instead of Telnet
- Test it
- Ship it ๐ข and relax ๐ด
Option B: Properly Set SSL Verificationโ
Go through the issues that GuardRails identified in the PR
Replace the following code sample which has
verify=False
in it:import requests
# this is the vulnerable line
requests.get('https://www.openstack.org/', verify=False)with the following:
import requests
# Ensure that you have a valid certificate.
# get free certificates at https://letsencrypt.org/
requests.get('https://www.openstack.org/', verify=CONF.ca_file)Test it
Ship it ๐ข and relax ๐ด
Option C: Use Secure SSL/TLS version and configโ
Go through the issues that GuardRails identified in the PR
Identify the SSL/TLS related functionality
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
Make sure to avoid the following versions:
- SSL v2
- SSL v3
- TLS v1
- TLS v1.1
Instead, it is recommended to use this:
ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2)
Test it
Ship it ๐ข and relax ๐ด
Option D: Confirm the use of the secure API for HTTPSConnectionโ
The HTTPSConnection API has changed often even in minor Python releases.
Python versions prior to 2.7.9
and 3.4.3
don't verify SSL certificates by default.
Go through the issues that GuardRails identified in the PR
Verify that HTTPSConnection is used:
# Three possible patterns are:
httplib.HTTPSConnection(...)
http.client.HTTPSConnection(...)
six.moves.http_client .HTTPSConnection(...)Confirm that you are a using Python version greater than
2.7.9
and3.4.3
, otherwise use a secure alternatives such ascreate_default_context()
Test it
Ship it ๐ข and relax ๐ด
More information can be found here: