Is there a way to automate the creation of the SecurityMonkey roles? We have multiple accounts and getting the account owners to follow the account creation directions will be difficult. Can this be done with the API, CLI or Puppet?

After setting the CSP headers and replacing main.dart.js with main.dart.precompiled.js, the application breaks:

"Deprecation: Automatic generation of output for Content Security Policy is deprecated and will be removed with the next development
release. Use the --csp option to generate CSP restricted output. "

and then failed with this:

main.dart.precompiled.js::83551
append$1: [function(receiver, newChild) {
      return receiver.appendChild(newChild);
      ^^ Refused to execute inline script because it violates the following Content Security         Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

The javascript builder doesn't yet accept a --csp flag. Florian asked that I open an issue in the Dart project to track the problem. I'll link to the dart issue once I have created it. Could also be an issue in the Security Monkey searchpage view, as that file does contain a script element:

<script src="js/searchpage.js">
</script>

Hi,

We have noticed that, some of the changes in various AWS resources are not getting emailed to secuirty team, However i am able to see the changes in Security Monkey console. I also confirmed the changes in /tmp/securitymonkey.log file.

For example - i made the changes in security group (removed some ip and added new one)

Is this a bug or am i missing something ?

When clicking on either "forgot password" or "confirm account' links, a 404 Not Found error is thrown.

This is from the error log (IP and hostname obfuscated):
2014/07/09 15:10:19 [error] 1064#0: *76 open() "/home/ubuntu/security_monkey/security_monkey/static/reset" failed (2: No such file or directory), client: XX.XX.XX.XX, server: , request: "GET /reset HTTP/1.1", host: "myhostname", referrer: "https://myhostname/login"

in security_monkey/init.py

if send_report == 'true' or send_report == 'True':

Causes an error:
"object has no attribute 'lower'"

Changing to
if send_report == 'True':

solves the issue

Ubuntu 14.04, Python 2.7.6

Hello,

I have followed Quick Start Guide and facing below issues -

1. When i first time open the url/page, as per doc, i should see the 'Login' page, instead i see all options available after login, and user is Anonymous.
2. When i tried to add account, it does nothing. Nginx log says " [error] 17478#0: *99 connect() failed (111: Connection refused) while connecting to upstream, client: x.x.x.x, server: , request: "POST /api/1/account HTTP/1.1", upstream: "http://127.0.0.1:5000/api/1/account", host: "ec2-x-x-x-x.us-west-2.compute.amazonaws.com", referrer: "https://ec2-x-x-x-x.us-west-2.compute.amazonaws.com/"
3. I also noticed that port 5000 is not running.

Please guide me to right direction.

According to doc and my understanding of common/sts_connect.py, security_monkey needs to be deployed on an AWS machine. From a quick glance at boto, it should support several remote auth methods to access the AWS API and gather the information needed by auditors classes.

Do you have any plans to support this kind of detached deployment with remote API access, or are there any technical issues in doing so?

Edit documentation to remove s3:get* and replace it with s3:getbucket as security monkey doesn't need to be able to fetch objects.

The supervisord process stays up with no issue, but when going to the next step in the quickstart "sudo -E supervisorctl -c security_monkey.ini", it fails every time. I am not an expert in Python, so getting a resolution here has been challenging. If you need further information, let me know.

2014-07-14 14:39:26,993 INFO exited: securitymonkey (exit status 1; not expected)
2014-07-14 14:39:26,993 DEBG received SIGCLD indicating a child quit
2014-07-14 14:39:27,994 INFO gave up: securitymonkey entered FATAL state, too many start retries too quickly
2014-07-14 14:39:28,997 INFO spawned: 'securitymonkeyscheduler' with pid 24468
2014-07-14 14:39:29,855 DEBG 'securitymonkeyscheduler' stderr output:
INFO:apscheduler.scheduler:Scheduler has been shut down

The Security Group Auditor should look at all cross account access in security groups and create issues as appropriate. See SNS/SQS for examples of how to determine whether cross account access is friendly.

Unknown cross account access should be very visibly flagged.

When running the manage.py script I get an error.

$ python manage.py db upgrade
Traceback (most recent call last):
File "manage.py", line 17, in
from security_monkey import app, db
File "/home/ubuntu/security_monkey/security_monkey/init.py", line 22, in
handler = RotatingFileHandler(app.config.get('LOG_FILE'), maxBytes=10000000, backupCount=100)
File "/usr/lib/python2.7/logging/handlers.py", line 117, in init
BaseRotatingHandler.init(self, filename, mode, encoding, delay)
File "/usr/lib/python2.7/logging/handlers.py", line 64, in init
logging.FileHandler.init(self, filename, mode, encoding, delay)
File "/usr/lib/python2.7/logging/init.py", line 893, in init
self.baseFilename = os.path.abspath(filename)
File "/usr/lib/python2.7/posixpath.py", line 367, in abspath
if not isabs(path):
File "/usr/lib/python2.7/posixpath.py", line 61, in isabs
return s.startswith('/')
AttributeError: 'NoneType' object has no attribute 'startswith'

Hello,
I have am installing this software in a development environment for testing. I am to the part were I need to configure the application and I am stuck where I need to provide a 'secret_key' and a 'security_password_salt'.

Is the secret key referring to the AWS secret key for my aws iam? If not, how do I generate the secret key and the security password salt key the configuration is looking for?

SECRET_KEY = '<INSERT_RANDOM_STRING_HERE>'

SECURITY_PASSWORD_HASH = 'bcrypt'
SECURITY_PASSWORD_SALT = '<INSERT_RANDOM_STRING_HERE>'
SECURITY_POST_LOGIN_VIEW = 'https://ec2-XX-XXX-XXX-XXX.compute-1.amazonaws.com/''

Thank you for the assistance.

Hi,

Is it possible to send Monthly report instead of Daily ?

If I create a security group with port 80 open to the world then it will raise an issue to tell me as much. I can then add a justification to explain that this was intentional and isn't a problem.

However, if the security group is later modified to open port 22 or 25 to the world then the prior justification will mask this as an issue.

I have yet to delve into the code, but I would like to see either rules being the level at which justifications are applied or justifications having to be reasserted after any detected changes.

Quickstart Guide should walk people through terminating SSL with Nginx.

There's plenty of documentation on the Internet, but users have requested that we build it into the quickstart guide so all the instructions are in one place. I'll try to add this tonight.

Should this line really be commented out in security_monkey/init.py

scheduler.add_interval_job(run_account, minutes=interval, args=[account])

Seems as I traced the code without this running, it will never build the initial database and will not add new objects.

Upon registering the first useraccount, the browser is redirected to HTTP://FQDN instead of HTTPS://FQDN

Without upper bounds or a lock file, pub will just grab the latest versions of dependencies. Since a lot of packages, especially those < 1.0, have breaking changes, the app may not work for fresh checkouts.

There is a ton of valuable data in the postgres db. Any plans on adding encryption?

After adding a new AWS account in the web UI, users must restart the scheduler with supervisorctl.

It would be better if this was not required.

The shadow_dom package is deprecated, in favor of the web_components package. It also doesn't appear that shadow_dom is directly used anywhere.

Hi,
I click settings, then the + to add an account, and the page goes blank. The menu bar is still present, but no other content. The URI changes to #/createaccount

I've restarted the scheduler, and reinstalled the app. Nothing seems to be working. It shows that I am signed in and me (not anon).

Thanks,
eric

package:js will cause dart2js output to be bloated in the presence of other mirrors usage. dart:js doesn't have this problem, and should almost always be used instead of package:js.

After setting up Nginx, I can get to the SecurityMonkey UI, but it doesn't take me to the Login screen as displayed in the Quickstart. I am launched into the application as an anonymous user, but with no ability to create a user, or do any searching, or viewing of reports.

Hi,
Hopefully someone can help me with this as I have tried everything and cannot get Security Monkey to work properly. I originally followed the guide a few weeks ago and it was all working but then it stopped on its own. Since then I have tried to re-install and I keep hitting the same issue.

Security_monkey-deploy.log is empty.

Supervisor will not start the program.

root@ip-172-30-0-254:/home/ubuntu# supervisorctl
securitymonkey FATAL Exited too quickly (process log may have details)
securitymonkeyscheduler FATAL Exited too quickly (process log may have details)
supervisor> restart all
securitymonkey: ERROR (abnormal termination)
securitymonkeyscheduler: ERROR (abnormal termination)
supervisor> status
securitymonkey BACKOFF Exited too quickly (process log may have details)
securitymonkeyscheduler BACKOFF Exited too quickly (process log may have details)
supervisor> status
securitymonkey FATAL Exited too quickly (process log may have details)
securitymonkeyscheduler FATAL Exited too quickly (process log may have details)
supervisor>

I can get the website up but it does not present the Logon page. It looks like its logged in as Anonymous.

I'm completely stuck

Sometimes when working on OS X, I will land up having a CORS request made to localhost as opposed to 127.0.0.1

localhost should be added to security_monkey/views/__init__.ORIGINS

In security_monkey/watchers/iam_user.py line 57 call to iam.get_all_users will only return the first 100 IAM Users by default.

Not sure if this is a boto issue or something that should be addressed here.

Just installed SM and got it up and running. Registered a user (had to make db changes to skip the checking) and went to the settings page. When I click the plus to add an account I'm greeted with a nice blank page. (I get no errors anywhere in nginx or /tmp/sm.log)

I've only just started picking up angular and know nothing of dart, so I recognize that there's a custom component that should be rendering these things from static / packages / SecurityMonkey / component / account_view_component / account_view_component.dart but I do not know how to debug and see whats wrong.

The firefox console caught this:

GET https://bla/views/create_account.html [Http/1.1 304 Not Modified]
"NullError: a.webkitCreateShadowRoot is undefined"   main.dart.js:50809

Any ideas?

The 'iamssl' technology type has a number of useful fields.

{
    "upload_date": ...
    "server_certificate_id": ...
    "server_certificate_name": ...
    "expiration": ...
    "path": "/",
    "arn": "arn:aws:iam::xxx:server-certificate/xxx"
}

Security Monkey should alert when the expiration date is almost here.

Security Monkey should compare the upload_date to the date that HeartBleed was released and alert on any certs that could have been vulnerable.

Longer term (and this will be filed as a separate enhancement issue), Security Monkey should check ciphers and perform more sslyze-type checks against all certs.

Hi,
First, thanks for such an incredible tool! Looking forward to getting to know it and hopefully contributing back to it.

What does the "Third party" checkbox do? When and why should it be checked? Docs say "Third Party This is a way to tell security monkey that the account is friendly and not owned by you", but that isn't very clear to me whether I should check it.

Specifically, I am configuring another account that is link to a master account via Consolidated Billing into Security Monkey. Is that considered a "third party" account? It is a friendly account, but it is known to us.

(If there is a better place to ask questions like this, like a Google Group, please let me know.)

As previously chatted about ::

I believe it'd be nice to have an UI improvement for the API warning message within SecurityMonkey web application. I believe that this is unclear and typically happens when there is an issue with the SecurityMonkey scheduler due to the supervisorctl not staying up. Is it reasonable to configure the nginx 502 error message to point the admin to check the status of the scheduler and to restart (e.g. point them to here?

Something like -

#site-wide error pages
error_page 404 /404.html;
error_page 502 /502.html;

where the 404.html and 502.html files live in the domain root and encourages the admin to check if the scheduler is running.

I think these are the official nginx instructions here.

As we discussed, I think there should be better clarification on what enabling "third party" tick box means as it's unclear (from the docs - see here) that this feature should not be enabled when creating the account under "Settings".

This is the specific section in the documentation that I'm referring to -

Third Party This is a way to tell security monkey that the account is friendly and not owned by you.

Thanks!

The Angular pub transformer removes mirrors usage with code generation. It can drastically reduce the size of the dart2js generated code.

Every one has been very helpful so far but I would use a little help in the documentation for setting up SES and more information under the Productionalizing Security Monkey section. Thanks!

In dart/lib/component/revision/revision_component.html, there are two tabs to switch between the Diff view and the Current view.

These tabs do not currently work. This can probably be easily fixed using AngularDart-UI tabs.

 <div class="panel-body">
    <div class="col-md-3">
      <!-- Tabs do not currently work.  Maybe try to use AngularDart-UI tabs -->
      <ul class="nav nav-pills nav-stacked" id="myTabs">
        <li class="active"><a data-toggle="pill" href="">Diff</a></li>
        <li><a data-toggle="pill" href="">Current</a></li>
      </ul>
    </div>

    <!-- Content -->
    <div class="col-md-9">
      <div class="tab-content">
        <div class="tab-pane active" id="diff">
          <span ng-if="cmp.hasDiffHtml()" ng-bind-html="cmp.rev.diff_html"></span>
          <span ng-if="!cmp.hasDiffHtml()">Diff Not Available.</span>
        </div>
        <div class="tab-pane" id="current">
          <pre><code class="html">{{cmp.rev.config}}</code></pre>
        </div>
      </div>
    </div>
  </div>

After pulling the latest mater to add elb watcher, I got below error

2014-08-12 11:28:35,346 DEBUG: Checking elb/aws-default/sa-east-1 [in /opt/secmonkey/security_monkey/watchers/elb.py:52]
2014-08-12 11:28:38,207 INFO: "Problem Connecting to elb/aws-default/sa-east-1:\n'ResultSet' object is not callable" [in /opt/secmonkey/security_monkey/exceptions.py:68]

2014-08-12 11:28:38,241 DEBUG: Skipping ('elb', u'aws-default', u'ap-southeast-1', u'web-dev') due to an region-level exception "Problem Connecting to elb/aws-default/ap-southeast-1:\n'ResultSet' object is not callable". [in /opt/secmonkey/security_monkey/watcher.py:145] 

Thanks.

As we discussed recently, I experienced issues running SecurityMonkey in a Private VPC without a public ip address.

As you requested, this is just a tracking issue to see if you could reproduce.

Thanks again dude :)

Hi,

Are there any plans or general interest on supporting Amazon Linux?

I've started some work on it but besides adding some notes to docs, there's also a Python version compatibility issue. Amazon Linux ships with Python 2.6 which doesn't have dict comprehensions and needs positions when formatting strings '{1}, {2}'.format(one, two) instead of '{}, {}'.format(one, two).
So far those are the only big issues I could find and if anyone is interested and authors are willing to accept those changes, I'd be glad contribute them.

Cheers,
Luka

This is the error I am getting.

/usr/lib/dart$ Could not find a file named "pubspec.yaml" in "/usr/lib/dart".

I have installed Security Monkey last week and playing with it, where i noticed two things which seems to be configuration related part.

1. I am getting two emails for every report, alerts or notification. How can i change this behavior?
2. In reports, i noticed all the ACCESSKEY mentioned for all the users, which i don't want to, can it be edited to not send keys in reports, there could be way to not send this report to any or to specific email, if yes, please point me to right path.

btw, thanks a lot for making this product, it make my life easier, i used to do this by writing cmd commands and comparing them etc.

Issue description pasted from email:

“I followed their install instructions for a single-node deployment. When I associate an account with Security Monkey everything works. Deleting an account resulted in Foreign Key constraint errors in the Postgres database. Here’s the error statement:

2014-07-01 07:37:20 UTC ERROR:  update or delete on table "account" violates foreign key constraint "association_account_id_fkey" on table "association"
2014-07-01 07:37:20 UTC DETAIL:  Key (id)=(1) is still referenced from table "association".
2014-07-01 07:37:20 UTC STATEMENT:  DELETE FROM account WHERE account.id = 1

I was able to truncate the detail and audit tables with a cascade clause and clean up the observations associated with the account I wanted to remove. After that, I simply deleted the account via SQL, but should have done it via the web console”

Security Monkey needs to have CSRF protection added to the following forms:

• justify
• itemcomment
• revisioncomment
• account add/delete
• user settings

I've added my account after setting up security_monkey but I'm not seeing any items populated in the search and no errors are being thrown in the logs. I'm seeing 200 codes on calls to /api/1/items

What further actions can I take to try and debug this issue?

We have security groups with the same Group Name but different Group ID. Only the first Security Group shows up in Security Monkey. The obvious answer is to make a unique Group Name but since we will be reviewing accounts that our organization owns but that the security folks do not have the ability to rename, we may be missing some of the Security Groups.

The instructions at:

http://securitymonkey.readthedocs.org/en/latest/contributing.html#development-setup

Don't really work. They need to be updated. Here are the notes from sihil:

OK - I've had another go at this today. I've done just enough python to know the pip install -r requirements.txt command - although it did take me a while to remember it 😄

I then installed virtualenv by:

brew install python --with-brewed-openssl
pip install virtualenv

Once that was done I created and activated the ve (a suggested location for this wouldn't go amiss - I created it in the repo directory, although this isn't currently excluded in .gitignore) and installed the requirements. During that I discovered I needed PostgresQL installed and needed to ensure that pg_config was on my path so that the psycopg2 dependency would compile.

Once that's done nosetests needs a valid SECURITY_MONKEY_SETTINGS env value. I'm not quite sure how to proceed from here, but basically followed some of the steps from the quickstart (namely the DB configuration) and used the config-local.py settings file (with no changes).

That's about where I run out of steam. In test_s3.py it is looking for S3_ACCOUNT_NAMES in constants.py - which doesn't seem to exist. I wanted to check that you were happily running those tests before I spend too much time trying to debug it further.

That looks like a sensible fix although I was going to add the protocol and ports to the issue field (I wasn't sure how obvious the notes would be in the UI).

Looks like you might have this one sorted so having a dev environment seems less important - however, it would still be good to make it work for the benefit of others and for the future. Let me know if I can help in any way.

I am getting a "importError: No moduel named setuptools" ?

Trying to run the latest code on my macbook. There is no ignorelist table when I try to run

python manage.py run_change_reporter all

I get an error like:

$ python manage.py run_change_reporter all
Starting work on account foobar
Traceback (most recent call last):
  File "manage.py", line 240, in <module>
    manager.run()
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/flask_script/__init__.py", line 397, in run
    result = self.handle(sys.argv[0], sys.argv[1:])
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/flask_script/__init__.py", line 376, in handle
    return handle(app, *positional_args, **kwargs)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/flask_script/commands.py", line 145, in handle
    return self.run(*args, **kwargs)
  File "manage.py", line 72, in run_change_reporter
    sm_run_change_reporter(accounts)
  File "/Users/ivanlei/security_monkey/security_monkey/__init__.py", line 195, in run_change_reporter
    reporter.run(account)
  File "/Users/ivanlei/security_monkey/security_monkey/reporter.py", line 81, in run
    (items, exception_map) = watcher.slurp()
  File "/Users/ivanlei/security_monkey/security_monkey/watchers/sqs.py", line 50, in slurp
    self.prep_for_slurp()
  File "/Users/ivanlei/security_monkey/security_monkey/watcher.py", line 54, in prep_for_slurp
    self.ignore_list = query.filter(Technology.name==self.index).all()
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/orm/query.py", line 2279, in all
    return list(self)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/orm/query.py", line 2391, in __iter__
    return self._execute_and_instances(context)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/orm/query.py", line 2406, in _execute_and_instances
    result = conn.execute(querycontext.statement, self._params)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 717, in execute
    return meth(self, multiparams, params)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/sql/elements.py", line 317, in _execute_on_connection
    return connection._execute_clauseelement(self, multiparams, params)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 814, in _execute_clauseelement
    compiled_sql, distilled_params
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 927, in _execute_context
    context)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1076, in _handle_dbapi_exception
    exc_info
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/util/compat.py", line 185, in raise_from_cause
    reraise(type(exception), exception, tb=exc_tb)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 920, in _execute_context
    context)
  File "/Users/ivanlei/virtual_envs/security_monkey/lib/python2.7/site-packages/sqlalchemy/engine/default.py", line 425, in do_execute
    cursor.execute(statement, parameters)
sqlalchemy.exc.ProgrammingError: (ProgrammingError) relation "ignorelist" does not exist
LINE 2: FROM ignorelist JOIN technology ON technology.id = ignorelis...
             ^
 'SELECT ignorelist.id AS ignorelist_id, ignorelist.prefix AS ignorelist_prefix, ignorelist.notes AS ignorelist_notes, ignorelist.tech_id AS ignorelist_tech_id \nFROM ignorelist JOIN technology ON technology.id = ignorelist.tech_id \nWHERE technology.name = %(name_1)s' {'name_1': 'sqs'}

I'm not real certain how to use the alembic/flashmigrate stuff so I kinda faked it by populating a file in migrations/versions that creates the table when I run python manage.py db upgrade. My file looks like:

"""add ignorelist

Revision ID: 262a9fd74c04
Revises: fb592c81e71
Create Date: 2014-11-01 18:16:32.182788

"""

# revision identifiers, used by Alembic.
revision = '262a9fd74c04'
down_revision = 'fb592c81e71'

from alembic import op
import sqlalchemy as sa


def upgrade():
    ### commands auto generated by Alembic - please adjust! ###
    op.create_table('ignorelist',
    sa.Column('id', sa.Integer(), nullable=False),
    sa.Column('prefix', sa.String(length=512), nullable=True),
    sa.Column('notes', sa.String(length=512), nullable=True),
    sa.Column('tech_id', sa.Integer(), nullable=True),
    sa.ForeignKeyConstraint(['tech_id'], ['technology.id'], ),
    sa.PrimaryKeyConstraint('id')
    )
    ### end Alembic commands ###

def downgrade():
    ### commands auto generated by Alembic - please adjust! ###
    op.drop_table('ignorelist')
    ### end Alembic commands ###

This seems to work but I had to write the python code by hand as I couldn't figure out the alembic stuff.

The watchers need a better way to handle AWS Rate Limiting:

2014-06-30 21:45:45,300 DEBUG: Found 106 ELBs [in /home/ubuntu/security_monkey/security_monkey/watchers/elb.py:62]
2014-06-30 21:45:47,085 ERROR: Job "run_change_reporter (trigger: interval[0:15:00], next run at: 2014-06-30 22:00:37.117198)" raised an exception [in build/bdist.linux-x86_64/egg/apscheduler/scheduler.py:520]
Traceback (most recent call last):
  File "build/bdist.linux-x86_64/egg/apscheduler/scheduler.py", line 512, in _run_job
    retval = job.func(*job.args, **job.kwargs)
  File "/home/ubuntu/security_monkey/security_monkey/__init__.py", line 180, in run_change_reporter
    reporter.run(account)
  File "/home/ubuntu/security_monkey/security_monkey/reporter.py", line 78, in run
    (items, exception_map) = watcher.slurp()
  File "/home/ubuntu/security_monkey/security_monkey/watchers/elb.py", line 81, in slurp
    elb_map['is_cross_zone_load_balancing'] = elb.is_cross_zone_load_balancing()
  File "/usr/local/lib/python2.7/dist-packages/boto-2.25.0-py2.7.egg/boto/ec2/elb/loadbalancer.py", line 231, in is_cross_zone_load_balancing
    return self.get_attributes(force).cross_zone_load_balancing.enabled
  File "/usr/local/lib/python2.7/dist-packages/boto-2.25.0-py2.7.egg/boto/ec2/elb/loadbalancer.py", line 218, in get_attributes
    self._attributes = self.connection.get_all_lb_attributes(self.name)
  File "/usr/local/lib/python2.7/dist-packages/boto-2.25.0-py2.7.egg/boto/ec2/elb/__init__.py", line 425, in get_all_lb_attributes
    params, LbAttributes)
  File "/usr/local/lib/python2.7/dist-packages/boto-2.25.0-py2.7.egg/boto/connection.py", line 1161, in get_object
    raise self.ResponseError(response.status, response.reason, body)
BotoServerError: BotoServerError: 400 Bad Request

<ErrorResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2012-06-01/">
  <Error>
    <Type>Sender</Type>
    <Code>Throttling</Code>
    <Message>Rate exceeded</Message>
  </Error>
  <RequestId>e52d9fcb-009f-11e4-ade9-99cb502219cd</RequestId>
</ErrorResponse>

On the following pages -

• security_monkey/security_monkey/templates/security/register_user.html

there appears to be an incorrect image source

-- src="static/images/securitymonkeyHead.png" height="30" width="30" />
-- src="static/images/securitymonkeyHead.png" height="30" width="30" />

respectively.

I removed {{static/}} and it was subsequently fine.

If you'd prefer, I can submit a pull request with the fix if you'd like but it's pretty simple obviously (assuming it is a valid issue). I presumed this would be a known issue or others would have found it but I haven't seen it in the issues so maybe it's not an issue either?

Similarly the pages below seem to have the wrong image sources but I'm unsure if these pages are being actively used at present?

{code}
security_monkey/security_monkey/templates/security/reset_password.html:
security_monkey/security_monkey/templates/security/send_confirmation.html:
security_monkey/security_monkey/templates/security/forgot_password.html:
{code}