-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
e898599
commit 33a29b7
Showing
2 changed files
with
108 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| { | ||
| "tags": [ | ||
| "cwe" | ||
| ], | ||
| "securityStandards": { | ||
| "CWE": [ | ||
| 200, | ||
| 319 | ||
| ], | ||
| "OWASP": [ | ||
| ], | ||
| "OWASP Mobile": [ | ||
| ], | ||
| "MASVS": [ | ||
| ], | ||
| "OWASP Top 10 2021": [ | ||
| ], | ||
| "PCI DSS 3.2": [ | ||
| "4.1", | ||
| "6.5.4" | ||
| ], | ||
| "PCI DSS 4.0": [ | ||
| "4.2.1", | ||
| "6.2.4" | ||
| ], | ||
| "ASVS 4.0": [ | ||
| ] | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| include::../description.adoc[] | ||
|
|
||
| == Ask Yourself Whether | ||
|
|
||
| * Application data needs to be protected against tampering or leaks when transiting over the network. | ||
| * Application data transits over an untrusted network. | ||
| * Compliance rules require the service to encrypt data in transit. | ||
| * OS-level protections against clear-text traffic are deactivated. | ||
|
|
||
| There is a risk if you answered yes to any of those questions. | ||
|
|
||
| == Recommended Secure Coding Practices | ||
|
|
||
| * Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols: | ||
| ** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``. | ||
| ** Use ``++https++`` instead of ``++http++``. | ||
|
|
||
| It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system. | ||
|
|
||
| == Sensitive Code Example | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| apiVersion: batch/v1 | ||
| kind: Job | ||
| metadata: | ||
| name: curl | ||
| spec: | ||
| template: | ||
| spec: | ||
| containers: | ||
| - name: curl | ||
| image: curlimages/curl | ||
| command: ["curl"] | ||
| args: ["http://example.com/"] # Sensitive | ||
| ---- | ||
|
|
||
| == Compliant Solution | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| apiVersion: batch/v1 | ||
| kind: Job | ||
| metadata: | ||
| name: curl | ||
| spec: | ||
| template: | ||
| spec: | ||
| containers: | ||
| - name: curl | ||
| image: curlimages/curl | ||
| command: ["curl"] | ||
| args: ["https://example.com/"] | ||
| ---- | ||
|
|
||
| == See | ||
|
|
||
| * https://cwe.mitre.org/data/definitions/200[MITRE, CWE-200] - Exposure of Sensitive Information to an Unauthorized Actor | ||
| * https://cwe.mitre.org/data/definitions/319[MITRE, CWE-319] - Cleartext Transmission of Sensitive Information | ||
| * https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html[Google, Moving towards more secure web] | ||
| * https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/[Mozilla, Deprecating non secure http] | ||
|
|
||
| ifdef::env-github,rspecator-view[] | ||
|
|
||
| ''' | ||
| == Implementation Specification | ||
| (visible only on this page) | ||
|
|
||
| == Message | ||
|
|
||
| * Make sure that using clear-text protocols is safe here. | ||
|
|
||
| == Highlighting | ||
|
|
||
| Highlight the URL. | ||
|
|
||
| ''' | ||
|
|
||
| endif::env-github,rspecator-view[] |