CirclesUBI / infrastructure-provisioning

Infrastructure and Services for Circles
GNU Affero General Public License v3.0
5 stars 2 forks source link

Security Audit #16

Open edzillion opened 6 years ago

edzillion commented 6 years ago

List the elements required for a proper security audit:

edzillion commented 6 years ago
d-xo commented 6 years ago
edzillion commented 6 years ago
edzillion commented 6 years ago
ana0 commented 6 years ago

Just want to clarify that this is a security checklist for our aws infrastructure, right? And smart contract security will be elsewhere/a bit later?

d-xo commented 6 years ago

yes.

edzillion commented 6 years ago
edzillion commented 6 years ago
edzillion commented 6 years ago

from here: https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4 Open source is incredibly broken

Let’s count all the things that went wrong.

An application (Copay) was be built by consuming dependencies over the network without the entire tree’s dependencies locked.
Even without locked versions, those dependencies aren’t cached and are pulled on every build.
Thousands of other projects are dependent on event-stream with the same or similar configurations.
The maintainer stopped caring about a library that thousands of projects depended on.
Thousands of projects consume this library for free and expect it to be maintained without any compensation.
The maintainer gave full control to an unknown entity just because they asked for it.
There was no notification that control had changed, thousands of projects were just expected to consume the package with no warning.
There’s really no end, this list could go on and on.
edzillion commented 5 years ago
evanstucker-hates-2fa commented 5 years ago

I'd be happy to go through this with you, share my experiences/opinions, and help tighten security. Want to schedule a video chat?

ana0 commented 5 years ago

^ I'd like to join, if/when this happens.

edzillion commented 5 years ago

I'd be happy to go through this with you, share my experiences/opinions, and help tighten security. Want to schedule a video chat?

Sounds good, although I think that we are still in the 'building out' phase and I wonder would this be better left to a 'consolidation phase' ?

edzillion commented 5 years ago
edzillion commented 5 years ago

https://github.com/cesar-rodriguez/terrascan

https://serverfault.com/questions/812907/aws-security-group-for-rds-outbound-rules

edzillion commented 5 years ago

https://consensys.github.io/smart-contract-best-practices/known_attacks/

edzillion commented 5 years ago

It is highly recommended to create a sub-user that only has the rights to use SNS and a logging ability to use CloudWatch. CloudWatch is a logging mechanism which will greatly help in seeing if a message has been delivered or not.

from https://keyholesoftware.com/2019/01/07/aws-sns-push-notifications/

edzillion commented 5 years ago

https://tersesystems.com/blog/2014/01/13/fixing-the-most-dangerous-code-in-the-world/

&

https://github.com/lightbend/ssl-config

edzillion commented 5 years ago

https://blog.risingstack.com/node-js-security-checklist/

edzillion commented 5 years ago

https://securitytxt.org/

edzillion commented 5 years ago

https://www.hpe.com/us/en/insights/articles/5-ways-to-secure-your-containers-1904.html