Security

Security Guide

Writing secure software

This part is important to consider to mitigate any problems that might rise due to our own or user's errors, and to avoid difficult patches or heavy costs, therefore it should be regularly kept up.

• Avoid copying code from unreliable sources or using default configurations from open-source libraries, Docker images, or Google services, as they might contain vulnerabilities.
• Implement security throughout the development lifecycle, including:
  • Regularly revisiting and updating the Threat Model.
  • Implementing tests to evaluate the build process for security.

Examples of Security Tools and Practices:

• Use Dependabot for automatic alerts on dependency vulnerabilities.
• Apply fuzz testing to find security flaws and other bugs.

Security Best Practices

Ensuring the reliability of our application goes hand in hand with security practices, we did the following:

• Authenticate to Google Cloud using a service account and OAuth, avoiding JSON configurations.
• Limit the roles of Kubernetes service accounts within their respective namespaces.
• Avoid storing sensitive credentials in GitHub workflows.
• Implement error handling in Backstage templates to prevent the insertion of invalid data.
• Ensure no sensitive information is printed during GitHub Actions runs.
• Limit the scope of Google Cloud service accounts.
• Store essential keys needed by GitHub Actions in repository secrets.

About Practices in Security

• Keep software up-to-date.
• Use a password manager and don't reuse passwords.
• Use 2FA.
• Remove unnecessary programs from your computer to reduce attack surface.
• Encrypt your drives, especially external.

Sensitive Data Handling

Sensitive data like passwords, usernames, and keys should never be exposed:

• Never push sensitive data to GitHub or any public forums.
• Manage sensitive data within secure locations, ensuring it's not duplicated or stored in insecure locations like Dropbox or Google Drive.
• Immediately change exposed data; simply reverting commits is insufficient.

Guardrails Against Insecure Code

New developers, particularly students, might inadvertently introduce security issues:

• Insecure API Usage: The students might accidentally expose sensitive information through improperly secured APIs. E.g., failing to implement proper authentication or inadvertently logging sensitive data.
• Dependency Issues: They might use outdated or vulnerable libraries and frameworks can introduce security risks. Beginners often lack awareness about the security implications of the dependencies they include in their projects.
• Configuration Errors: Misconfiguration of application settings, such as incorrect security settings in MongoDB, which could lead to unauthorized data exposure. E.g., failing to properly configure database access controls or accidentally leaving development configurations in production code.
• Insecure Data Storage: Storing sensitive information insecurely in the application's filesystem or in MongoDB without proper encryption or access controls. This includes storing sensitive tokens, passwords, or API keys directly in the application's source code or configuration files.

As it stands right now, we do not have railways against these things within our MVP, and the potential risks need to be taken into account.

Strategies to Mitigate Risks

The MVP suited our needs, however there is a lot of room for improvement. Up until we introduce more robust guardrails against the risks, we can focus on educating the students about security risks in development:

• Educational Resources: We need to provide security resources for students early on. Include basic secure coding practices tailored to their level of expertise.
  • Documentation and Guides: Offer a link to a comprehensive documentation and guidelines on secure coding practices, dependency management, and configuration best practices.
• Dependency Management:
• Safe Dependency Practices: Educate on the importance of vetting new libraries and using dependencies from trusted sources only.
• Dependency Checks: Tools like OWASP Dependency-Check to ensure dependencies are secure before use.
• Security Checks in CI/CD Pipelines:
  • Static Code Analysis: Automatically scan the code for security vulnerabilities and bad practices.
  • Configuration Audits: Automatically review configuration files for common security misconfigurations, especially those related to database access and API endpoints.
• Sentitive Data Handling:
  • Best Practices for Data Protection: Educate beginner web developers to avoid storing sensitive information directly within application code. Advocate for the use of environment variables and secure storage solutions for handling sensitive data.
  • Action Plan for Data Leaks: Instruct on on what steps to take if sensitive data is compromised, including credential rotation and thorough security audits to prevent recurrence.

Tools and Management of Code

Code Reviews

• Integrate Automated Reviews: Look into using tools such as CodeClimate or SonarQube.
• See the review guideline before approving any PR.

Dependency Management

Regularly update dependencies with tools like Dependabot, which not only alerts you to vulnerabilities but can also create PRs to update them automatically. Handle these PRs promptly:

Handling Dependabot Alerts:

• Review the PRs created by Dependabot for dependency updates.

• Test changes thoroughly before merging to ensure new updates do not introduce new issues.

• Integrate Automated Reviews

• Keep Dependencies Updated: Turn on Dependabot to automate updates and minimize vulnerabilities.

• Safe Dependency Practices:

  • Evaluate new libraries within the team for their security before inclusion.
  • Use dependencies only from trusted and verifiable sources.

Continuous Integration Security Practices

• Security Gates: Make the CI/CD pipeline enforce checks such as:
  • Dependency vulnerability checks
  • Coding guideline and security policy adherence

Monitoring and Incident Response (TBD)

In the future, ideally we should have:

• Real-Time Monitoring: Implement monitoring tools to detect unusual activities indicating potential security issues
• Incident Response Plan: Have an incident response plan to address and mitigate security breaches swiftly

Documenting and Addressing Common Security Risks

• Risks Documentation: Any kind of a bug or risk that has been found should be thoroughly documented and linked to an issue and resolved in a timely manner.
• Expanding on this Documentation: Maintaining this document and updating the security risks and best practices is vital to mitigate them within our environment.

Additional Resources

The general resources you can look up for security to educate yourself on this topic:

• Linux Foundation (LF) Core Infrastructure Initiative (CII) Best Practices
• OWASP Top 10 Web Application Security Risks
• OWASP Slack
• More information on Secure Software Development Lifecycle