Insecure Network Communication

Why is this important?

Ensuring that the data in transit is secured between users and your application is the most fundamental security requirement. If this security control is not in place then all bets are off and attackers have many ways to attack your users.

Check out this video for a high-level explanation:

Insufficient Transport Layer Protection

Fixing Insecure Network Communication

Option A: Don't use insecure protocols

  1. Go through the issues that GuardRails identified in the PR.
  2. Identify affected lines contain a reference to FTP, or Telnet
  3. Either remove the logic that relies on them, or alternatively replace them with secure alternatives such as SSH instead of Telnet.
  4. Test it
  5. Ship it 🚢 and relax 🌴

Option B: Properly Set SSL Verification

  1. Go through the issues that GuardRails identified in the PR.
  2. Replace verify=False:

    import requests
    # this is the vulnerable line
    requests.get('https://www.openstack.org/', verify=False)
    

    with the following:

    import requests
    # Ensure that you have a valid certificate.
    # get free certificates at https://letsencrypt.org/
    requests.get('https://www.openstack.org/', verify=CONF.ca_file)
    
  3. Test it

  4. Ship it 🚢 and relax 🌴

Option C: Use Secure SSL/TLS version and config

  1. Go through the issues that GuardRails identified in the PR.
  2. Identify the SSL/TLS related functionality.

    ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3)
    
  3. Make sure to avoid the following versions:

    • SSL v2
    • SSL v3
    • TLS v1
    • TLS v1.1

    Instead, it is recommended to use this:

    ssl.wrap_socket(ssl_version=ssl.PROTOCOL_TLSv1_2)
    
  4. Test it

  5. Ship it 🚢 and relax 🌴

More information: