Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Delivery Security Review - Outcome #58

Open
AWSMaedeh opened this issue May 17, 2022 · 0 comments
Open

Delivery Security Review - Outcome #58

AWSMaedeh opened this issue May 17, 2022 · 0 comments
Assignees
@manics
Milestone
Sprint 9

Comments

@AWSMaedeh
Copy link

AWSMaedeh commented May 17, 2022
edited by manics
Loading

Below are the findings from a security review of the solution.
All actions should either have a status of ACKNOWLEDGED or DONE before making the repo public.

Findings Mitigations Status Owner
Add required attributions for open source libraries used within the project to comply with licensing terms Added NOTICE.txt to the repo DONE AWS
Penetration testing is required for the solution. Especially for the Egress App Frontend Dundee team to review this requirement and action it if required. If the penetration test is not done before making making this repo public it should be noted somewhere for end users. ACKNOWLEDGED: #65 DUNDEE
Enable WAF integration with Egress App frontend Add recommendation da0a647 DONE AWS
Notice for end users on Data security Dundee to provide guidance to end users on type of data that can be put into TREEHOOSE and highlight protecting data is user's responsibility in-line with DPO guidelines ACKNOWLEDGED #66 DUNDEE
List any third party libraries and tools that does not come by default with the OS Added a list to documentation 42c0f89 DONE AWS
Encryption at-rest not enabled for CloudWatch logs This is not required as currently the code does not log any sensitive information although if Dundee updates the code at some point to log sensitive data to CloudWatch (advised against) the CloudWatch log group should be encrypted ACKNOWLEDGED #67 DUNDEE
Enable ERROR logging for AppSync; request level logging enabled for the GraphQL API to track invalid requests Error level logging for AppSync resource should be enabled to help look into errors 8359fb1 DONE AWS
Add guidance on AWS Org best practices specially around use of decommissioning/suspended OU Added guidance cd40d7b DONE AWS
Use latest version of runtime for Lambda functions Currently the Lambda functions use Python version 3.8 for which end of life date is not announced by AWS. For long term support Dundee should constantly review related AWS announcements and update/test the Lambda runtime as required ACKNOWLEDGED #68 DUNDEE
Enable CI pipeline for linting and SAST Use Git-hub actions to implement a CI pipeline IN-PROGRESS DUNDEE
The NPM packages used for egress app frontend has 6 low, 6 medium and 1 high vulnerability. These can be viewed by using npm audit. 1 high and 1 medium are due to direct dependencies and the rest are due to nested dependencies. To address the issue a major version update is required which result in breaking changes to the code. The alternatives are to review the vulnerabilities and accept them or undertake the work to upgrade the app which might be 2 days at the least TO-DO DUNDEE
SNS topic used to monitor SES email sending events should have encryption enabled Encryption enabled 3de0a3d DONE AWS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manics manics

Labels
None yet
Projects
None yet
Milestone
Sprint 9
Development

No branches or pull requests
3 participants
@manics @awskaran @AWSMaedeh