-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: pierre-loup-tristant-sonarsource <[email protected]>
- Loading branch information
1 parent
23e23ae
commit ea81fee
Showing
2 changed files
with
111 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
{ | ||
"securityStandards": { | ||
"CWE": [ | ||
200, | ||
319 | ||
], | ||
"OWASP": [ | ||
|
||
], | ||
"OWASP Mobile": [ | ||
|
||
], | ||
"MASVS": [ | ||
|
||
], | ||
"OWASP Top 10 2021": [ | ||
|
||
], | ||
"PCI DSS 3.2": [ | ||
"4.1", | ||
"6.5.4" | ||
], | ||
"PCI DSS 4.0": [ | ||
"4.2.1", | ||
"6.2.4" | ||
], | ||
"ASVS 4.0": [ | ||
|
||
], | ||
"STIG ASD_V5R3": [ | ||
"V-222397", | ||
"V-222534", | ||
"V-222562", | ||
"V-222563", | ||
"V-222577", | ||
"V-222596", | ||
"V-222597", | ||
"V-222598", | ||
"V-222599" | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
include::../description.adoc[] | ||
|
||
== Ask Yourself Whether | ||
|
||
* Application data needs to be protected against tampering or leaks when transiting over the network. | ||
* Application data transits over an untrusted network. | ||
* Compliance rules require the service to encrypt data in transit. | ||
* OS-level protections against clear-text traffic are deactivated. | ||
|
||
There is a risk if you answered yes to any of those questions. | ||
|
||
== Recommended Secure Coding Practices | ||
|
||
* Make application data transit over a secure, authenticated and encrypted protocol like TLS or SSH. Here are a few alternatives to the most common clear-text protocols: | ||
** Use ``++sftp++``, ``++scp++``, or ``++ftps++`` instead of ``++ftp++``. | ||
** Use ``++https++`` instead of ``++http++``. | ||
|
||
It is recommended to secure all transport channels, even on local networks, as it can take a single non-secure connection to compromise an entire application or system. | ||
|
||
== Sensitive Code Example | ||
|
||
[source,yaml] | ||
---- | ||
- name: HTTP request | ||
hosts: all | ||
tasks: | ||
- name: Noncompliant | ||
uri: | ||
url: http://example.com # Sensitive | ||
---- | ||
|
||
== Compliant Solution | ||
|
||
[source,yaml] | ||
---- | ||
- name: HTTPS request | ||
hosts: all | ||
tasks: | ||
- name: Noncompliant | ||
uri: | ||
url: https://example.com | ||
---- | ||
|
||
== See | ||
|
||
include::../common/resources/documentation.adoc[] | ||
|
||
include::../common/resources/articles.adoc[] | ||
|
||
include::../common/resources/standards-iac.adoc[] | ||
|
||
|
||
ifdef::env-github,rspecator-view[] | ||
|
||
''' | ||
== Implementation Specification | ||
(visible only on this page) | ||
|
||
== Message | ||
|
||
* Make sure that using clear-text protocols is safe here. | ||
|
||
== Highlighting | ||
|
||
Highlight the URL. | ||
|
||
''' | ||
|
||
endif::env-github,rspecator-view[] |