ace-n
commented
3 years ago Some things we might want to cover:
- Auth: is our stored-session-cookie implementation (see #139) the {correct, optimal} use of Firebase Auth?
- Automated analysis: as part of our ops plan, should we set up automated analyzers/pen-testing tools (e.g. this) as a "first line of defense" against web application vulnerabilities?
- Log sanitization: do we need to make sure secrets from e.g. Secret Manager are automatically removed from any Cloud Logging entries?
- Test review: Can we make sure that our tests check for common vulnerabilities explicitly? (e.g. check for forced browsing attacks by making sure our auth-z works.)
We should conduct a security review of the overall app as we're approaching Public Preview.
(We'll probably have to make an inventory of what needs to be reviewed first, as well as any potential focus areas that we may want to draw attention to - such as website auth in #139.)