Closed rayhanur-rahman closed 5 years ago
rayhanur-rahman
commented
5 years ago rayhanur-rahman
commented
5 years ago have a look at the this file: https://github.com/brokenquark/SLIC-Ansible/blob/master/filtered-repo-stat
rayhanur-rahman
commented
5 years ago 
akondrahman
commented
5 years ago Template for Invalid IP Address Binding
Greetings,
I am a security researcher, who is looking for security smells in Chef scripts. I noticed instances of binding to 0.0.0.0. Binding an address to 0.0.0.0 indicates allowing connections from all IP addresses. I would like to draw attention to these instances. Binding to 0.0.0.0 may lead to denial of service attacks. Practitioners have reported how binding to 0.0.0.0 facilitated security issues for MySQL (https://serversforhackers.com/c/mysql-network-security), Memcached (https://news.ycombinator.com/item?id=16493480), and Kibana (https://www.elastic.co/guide/en/kibana/5.0/breaking-changes-5.0.html).
Any feedback is appreciated.
Source: File URL goes here
akondrahman
commented
5 years ago Template for Use of HTTP Without TLS
Greetings,
I am a security researcher, who is looking for security smells in Chef scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?
I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?
Any feedback is appreciated.
Source:
akondrahman
commented
5 years ago Template for Feedback on MD5 usage in Chef scripts
Greetings,
I am a security researcher, who is looking for coding patterns that are indicative of security weaknesses in Chef scripts. In your repo I found instances of MD5 usage within Chef scripts. MD5 is breakable (http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf). According to the Common Weakness Enumeration organization this is a security weakness (CWE-327: Use of a Broken or Risky Cryptographic Algorithm https://cwe.mitre.org/data/definitions/327.html).
I am trying to find out if you agree with the findings. Any feedback is appreciated.
Any feedback is appreciated.
Source:
akondrahman
commented
5 years ago Template for Feedback on suspicious comments in Chef scripts
Greetings,
I am a security researcher, who is looking for security smells in Chef scripts. I found instances where certain keywords such as TODO, HACK, FIXME, bug repository IDs, in comments within Chef scripts. According to the Common Weakness Enumeration organization this is a security weakness (CWE-546: Suspicious Comment https://cwe.mitre.org/data/definitions/546.html).
I am trying to find out if you agree with the findings. I think it is possible to have a nuanced perspective. Any feedback is appreciated.
Any feedback is appreciated.
Source: File URL goes here
akondrahman
commented
5 years ago Template for Feedback on hard-coded secrets
Greetings,
I am a security researcher, who is looking for security smells in Chef scripts. I found instances where usernames and passwords are specified within a Chef script. According to the Common Weakness Enumeration organization this is a security weakness (CWE-798: Hard-coded credentials https://cwe.mitre.org/data/definitions/798.html).
I am trying to find out if you agree with the findings and the reasons the usernames and passwords were introduced. Any feedback is appreciated.
Any feedback is appreciated.
Source: File URL goes here
rayhanur-rahman
commented
5 years ago thanks a lot....
rayhanur-rahman
commented
5 years ago yaml file counts, yaml sloc counts have been updated after considering only the yaml files inside the playbook folder
rayhanur-rahman
commented
5 years ago I am not necessarily happy with the tool validation. We have checked only 150 files and the manual inspection is done on file level but it should have been done in the statement level.
If I were a reviewer, I would have asked for further inspection.