Audit testing the code

Hi, I’m new to ruby on rails and discourse.
I wanted to verify the security of the code by doing some audit testing. I’m aware that it can sometime falsely detect problems.
I was wondering if Discourse had any audit testing already integrated. I tried integrating Brakeman and it gave me a bunch of different warning like sql injections ,dangerous evaluation and ssl verification bypass. I’m in the process to verify the validity of each warning, but I’m sometimes uncertain whether or not I should discard the warning.

Welcome!

That doesn’t seem like a very good first task to take on if you’re not very familiar with rails and Discourse.

The Discourse team takes security very seriously and, in addition to their team of full-time developers, has HackerOne actively looking for security issues: HackerOne. See also How secure is Discourse?

Unless you’re testing the security of code that you developed, I’d recommend that you spend your time on mostly anything else. The likelihood that an automated tool will identify a legitimate security issue is very, very, close to nil. There are a bunch of people with a better sense of sucurity issues in Rails and Discourse than you who are actively working on the job.

2 Likes

Thank you for the fast response.

I have seen that. Even if I fully trust the security of discourse, I had to run audit for company policy to ease the integration process. Everything else seems perfect, so that’s why I was wondering if they include audit testing functionalities.

1 Like

Ah. I see. Well, if you do find something, you might make some money on the side! :crazy_face:

I think that most of that testing gets done in rails specs and qunit tests, but it looks like I’m no help on this one.

1 Like

okok, but still, thank you for your help

1 Like