Security Audit

[edzillion]

List the elements required for a proper security audit:

• All devs (all users?) must use primary email with 2FA
• Github teams to divide devs (with access to core repos) and others
• Github 2FA turned on for all users / devs
• rocketchat passwords to be reviewed, rocketchat email must be secure
• Review of CI build security: Travis, Docker etc

[edzillion]

• Review of logging, storage of logs & log access

[d-xo]

• define aws roles
• enforce 2fa on aws (can we get yubikeys for people with access to aws?)
• review users with commit access
• review users with aws access
• enforce PR for changes to all master branches
• core team should have 2fa on rocketchat accounts
• devs should establish backup coms to respond in case of a hack (signal / whatsapp)

[edzillion]

• review gitignores
• review local password storage for circles admins
• What to do if you have committed a key

[edzillion]

• Review of recovery emails

[ana0]

Just want to clarify that this is a security checklist for our aws infrastructure, right? And smart contract security will be elsewhere/a bit later?

[d-xo]

yes.

[edzillion]

• Strategy for using aws access_keys / secret_keys on deploys. Should it be the key for the responsible user, or a generic deploy key?

[edzillion]

• Go through the IAM roles, removing any redundant and check if roles can be shared between builds etc.

[edzillion]

from here: https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4 Open source is incredibly broken

Let’s count all the things that went wrong.

An application (Copay) was be built by consuming dependencies over the network without the entire tree’s dependencies locked.
Even without locked versions, those dependencies aren’t cached and are pulled on every build.
Thousands of other projects are dependent on event-stream with the same or similar configurations.
The maintainer stopped caring about a library that thousands of projects depended on.
Thousands of projects consume this library for free and expect it to be maintained without any compensation.
The maintainer gave full control to an unknown entity just because they asked for it.
There was no notification that control had changed, thousands of projects were just expected to consume the package with no warning.
There’s really no end, this list could go on and on.

[edzillion]

• Need to create some kind of network diagram / canonical list of resources, so that we can see if malicious changes have been made.
• Document SSH and other keys / passwords

[evanstucker-hates-2fa]

I'd be happy to go through this with you, share my experiences/opinions, and help tighten security. Want to schedule a video chat?

[ana0]

^ I'd like to join, if/when this happens.

[edzillion]

I'd be happy to go through this with you, share my experiences/opinions, and help tighten security. Want to schedule a video chat?

Sounds good, although I think that we are still in the 'building out' phase and I wonder would this be better left to a 'consolidation phase' ?

[edzillion]

• Cognito User Pools - set readable / writeable atribute permissons

[edzillion]

https://github.com/cesar-rodriguez/terrascan

https://serverfault.com/questions/812907/aws-security-group-for-rds-outbound-rules

[edzillion]

https://consensys.github.io/smart-contract-best-practices/known_attacks/

[edzillion]

It is highly recommended to create a sub-user that only has the rights to use SNS and a logging ability to use CloudWatch. CloudWatch is a logging mechanism which will greatly help in seeing if a message has been delivered or not.

from https://keyholesoftware.com/2019/01/07/aws-sns-push-notifications/

[edzillion]

https://tersesystems.com/blog/2014/01/13/fixing-the-most-dangerous-code-in-the-world/

&

https://github.com/lightbend/ssl-config

[edzillion]

https://blog.risingstack.com/node-js-security-checklist/

[edzillion]

https://securitytxt.org/

[edzillion]

https://www.hpe.com/us/en/insights/articles/5-ways-to-secure-your-containers-1904.html