4392-update security best practices (#4395)

We do use SAST tools, updating documentation to reflect.
This commit is contained in:
Guillaume Ross 2022-03-02 12:56:25 -05:00 committed by GitHub
parent c895bbb9eb
commit 1d38172435
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -13,12 +13,16 @@ The Fleet community follows best practices when coding. Here are some of the way
### Describe your secure coding practices, including code reviews, use of static/dynamic security testing tools, 3rd party scans/reviews.
Every piece of code that is merged into Fleet is reviewed by at least one other engineer before merging. We don't use any security-specific testing tools.
Code commits to Fleet go through a series of tests, including SAST (static application security testing).
Every piece of code that is merged into Fleet is reviewed by at least one other engineer before merging.
The server backend is built in Golang, which (besides for language-level vulnerabilities) eliminates buffer overflow and other memory related attacks.
We use standard library cryptography wherever possible, and all cryptography is using well-known standards.
Libraries are inventoried and monitored for vulnerabilities. Our process for fixing vulnerable libraries and other vulnerabilities is available in our [handbook](https://fleetdm.com/handbook/security#vulnerability-management).
### SQL injection
All queries are parameterized with MySQL placeholders, so MySQL itself guards against SQL injection and the Fleet code does not need to perform any escaping.