Consider moving of security:check documentation

[xelaris]

While reading the rewritten security chapter I came across https://github.com/symfony/symfony-docs/blob/2.3/book/security.rst#checking-for-known-security-vulnerabilities-in-dependencies

IMO this part should be moved somewhere else (however I don't know where yet), since there is thematically no analogy to the rest of the chapter. Everything is about Symfony's security system as the first three words are telling, but this is about security vulnerabilities in dependencies.

[xelaris]

In addition... #4651 was merged in 2.3 but should be 2.5 as mentioned in #4651 (comment)
So I suppose it should not only moved to another place but also to another branch.

[xabbuh]

@xelaris Can you create a pull request reverting the change in the 2.3 branch?

[xelaris]

@xabbuh done #4746

[weaverryan]

Hey @xelaris! This is really great of you to catch - the whole point of rewriting the security chapter was to be more relevant, and remove things like this from it.

So you're right - the question is, what's the right place for this? Perhaps we need a new cookbook entry about actually "securing" your Symfony app, for example:

• This paragraph about checking vendor security
• Use a good password encoder (e.g. bcrypt)
• Make sure csrf tokens are on
• Use https
• Use access_control OR make sure that you audit every controller to see that it's checking for whatever security you need
• Ensuring that no *_dev.php controllers are being deployed
• Not using 777 permissions on cache/logs (especially on a shared server, or understanding at least what it means if these are 777).

... and probably more! That's a little bit more of an undertaking, but maybe something that would be good in this day and age of security?

[stof]

We could even recommend https://github.com/Roave/SecurityAdvisories to handle security issues in your deps (it forbids composer to select them in a composer update, with the same database than the security:check command)

[wouterj]

@weaverryan what about a new best practices chapter about Securing your application? (not to be mixed with Security)

[weaverryan]

I think that's a very cool idea - makes sense as a cookbook article to me, and I think it could be a very useful reference section on what you should be doing.

[javiereguiluz]

Closing it as "fixed" because the security checker now has its own article: http://symfony.com/doc/current/security/security_checker.html