Najaf · September 10, 2015 19:31 · Nov 11, 2014 · Nov 11, 2014
diff --git a/SECURITY.md b/SECURITY.md
@@ -28,6 +28,10 @@ We should do an inspection at the beginning of every calendar month.
 * Fixed XSS vuln introduced thanks to stray `html_safe` call.
 * Fixed SQLi vuln caused by unparameterized where clause.
 
+### 2nd September 2014 - @charlie
+
+* Nothing to report.
+
 ### 3rd August 2014 - @bob
 
 * Updated Rails to 4.7.23 in light of facesmash vulnerability
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security inspections
+
+At the beginning of each month, we carry out a brief, high-level security inspection. The purpose is to be a sanity check for head-slapping, trivial vulnerabilities that no one expected would be in the code but somehow managed to creep in anyway.
+
+## Who's responsible?
+
+One of @alice, @bob or @charlie should do the inspection if no one else has the time.
+
+## How often?
+
+We should do an inspection at the beginning of every calendar month.
+
+## How to do an inspection
+
+1. Check [Riding Rails][rr] for new Rails releases. Upgrade or patch if there are any new vulnerabilities.
+2. Upgrade (important!) and run `brakeman` on the codebase. Investigate and fix any issues it raises.
+3. Grep for `html_safe`. Fix any XSS vulnerabilities it might cause.
+4. Grep for `permit`. Check for & fix any resulting mass-assignment vulnerabilities.
+5. Spend a 15 minute timebox on checking code introduced since the last inspection for obvious security flaws.
+6. Update this file with your name, the date and anything you had to fix in the inspection.
+
+[rr]: http://weblog.rubyonrails.org/
+
+## Past inspections
+
+### 5th October 2014 - @alice
+
+* Fixed XSS vuln introduced thanks to stray `html_safe` call.
+* Fixed SQLi vuln caused by unparameterized where clause.
+
+### 3rd August 2014 - @bob
+
+* Updated Rails to 4.7.23 in light of facesmash vulnerability
No results found