search

AbsaOSS / spline

Data Lineage Tracking And Visualization Solution
https://absaoss.github.io/spline/
Apache License 2.0
603 stars 155 forks source link

Need Security details to implement Spline in Production environment #1152

Closed saroj9958 closed 4 months ago

saroj9958 commented 1 year ago

Hi Team,

We are going to implement spline in production environment, but for Architecture Review board has few queries, Can you pls help us with below:

  1. Basically they need what all security measures followed by Spline.
  2. ISO27001 certification
  3. SOC 2 report
  4. Latest Pen Test Report
  5. one more. Can we install spline using AKS?

It will be really great if you help me with this.

Thanks & Regards, Saroj

saroj9958 commented 1 year ago

@wajda can you pls help me the details. it will be really helpful we have to expedite our production release.

wajda commented 1 year ago
  1. what all security measures followed by Spline.

Spline is developed according to the common software development practices, including but not limited to: support of secured communication channels (TLS), industry standard ways of storing and accessing secrets, properly treating and escaping user input (to prevent code injection type of attacks), using latest libraries that do not contain any known CVEs that might compromise the application. Basically we adhere practices and recommendations that are common in the industry. However, Spline does not provide any authentication and authorization mechanism out of the box, so if you are going to expose the API to the untrusted network you need to wrap Spline with your own additional security layer (firewall, reverse proxy etc).

  1. ISO27001 certification

no audit has been conducted

  1. SOC 2 report

no audit has been conducted

  1. Latest Pen Test Report

no certified penetration testing has been conducted

  1. one more. Can we install spline using AKS?

Absolutely. All Spline components are available as Docker images and can run on any Kubernetes provider, including AKS.

Regarding those reports and certificates, Spline is an open-source solution distributed under Apache 2.0 license, so you are advised to approach it with that in mind. Although we (the dev team) do our best to be in-line with the up-to-date security and other industry standards, we do not assume any responsibility in any case.

saroj9958 commented 1 year ago

Thanks @wajda for reply. In addition to that we have few more queries: As we are using docker images so can you pls help us with below details also:

  1. is docker image is immutable ?
  2. where is the gold image stored ?
  3. how will the images be scanned?
  4. Also is there any possibility in case of a security vulnerability discovered you guys will patch within48 hours?
wajda commented 1 year ago
  1. is docker image is immutable ?

Any Docker image is immutable by definition.

  1. where is the gold image stored ?

https://hub.docker.com/search?q=Absaoss%2FSpline

Please refer our GitHub pages for details. Also see our Docker compose config and kubernetes config examples on the https://github.com/AbsaOSS/spline-getting-started

  1. how will the images be scanned?

What do you mean by that?

  1. Also is there any possibility in case of a security vulnerability discovered you guys will patch within48 hours?

No. But we will do our best to address any security issue ASAP, so the best you can do is to let us know about the issue and assist with reproducing and subsequently testing. That will make the turnaround as quick as the circumstances allow.

saroj9958 commented 1 year ago

Thanks @wajda for your quick response. That helps us.