search

HicResearch / TREEHOOSE

DARE UK Sprint Project: Trusted Research Environment and Enclave for Hosting Open Original Science Exploration
Apache License 2.0
9 stars 15 forks source link

Delivery Security Review - Outcome #58

Open AWSMaedeh opened 2 years ago

AWSMaedeh commented 2 years ago

Below are the findings from a security review of the solution. All actions should either have a status of ACKNOWLEDGED or DONE before making the repo public.

Findings Mitigations Status Owner
Add required attributions for open source libraries used within the project to comply with licensing terms Added NOTICE.txt to the repo DONE AWS
Penetration testing is required for the solution. Especially for the Egress App Frontend Dundee team to review this requirement and action it if required. If the penetration test is not done before making making this repo public it should be noted somewhere for end users. ACKNOWLEDGED: https://github.com/HicResearch/TREEHOOSE/issues/65 DUNDEE
Enable WAF integration with Egress App frontend Add recommendation da0a647 DONE AWS
Notice for end users on Data security Dundee to provide guidance to end users on type of data that can be put into TREEHOOSE and highlight protecting data is user's responsibility in-line with DPO guidelines ACKNOWLEDGED https://github.com/HicResearch/TREEHOOSE/issues/66 DUNDEE
List any third party libraries and tools that does not come by default with the OS Added a list to documentation 42c0f89 DONE AWS
Encryption at-rest not enabled for CloudWatch logs This is not required as currently the code does not log any sensitive information although if Dundee updates the code at some point to log sensitive data to CloudWatch (advised against) the CloudWatch log group should be encrypted ACKNOWLEDGED https://github.com/HicResearch/TREEHOOSE/issues/67 DUNDEE
Enable ERROR logging for AppSync; request level logging enabled for the GraphQL API to track invalid requests Error level logging for AppSync resource should be enabled to help look into errors 8359fb1f2898356cab6d84c7b7beebb0093a564f DONE AWS
Add guidance on AWS Org best practices specially around use of decommissioning/suspended OU Added guidance https://github.com/HicResearch/TREEHOOSE/commit/cd40d7bb81c57c22bd46222907e351408303df89 DONE AWS
Use latest version of runtime for Lambda functions Currently the Lambda functions use Python version 3.8 for which end of life date is not announced by AWS. For long term support Dundee should constantly review related AWS announcements and update/test the Lambda runtime as required ACKNOWLEDGED https://github.com/HicResearch/TREEHOOSE/issues/68 DUNDEE
Enable CI pipeline for linting and SAST Use Git-hub actions to implement a CI pipeline IN-PROGRESS DUNDEE
The NPM packages used for egress app frontend has 6 low, 6 medium and 1 high vulnerability. These can be viewed by using npm audit. 1 high and 1 medium are due to direct dependencies and the rest are due to nested dependencies. To address the issue a major version update is required which result in breaking changes to the code. The alternatives are to review the vulnerabilities and accept them or undertake the work to upgrade the app which might be 2 days at the least TO-DO DUNDEE
SNS topic used to monitor SES email sending events should have encryption enabled Encryption enabled 3de0a3d DONE AWS