jenbutongit
commented
1 year ago CSRF defaults to true now.
Most of the OWASAP security issues are down to configuration and usage. I can take a look at running OWASP ZAP against our sandbox environment, although various pen tests against FCDO services do not report this issue. The ZAP runs are probably best run nightly or weekly to reduce costs/load
Describe the bug There is no global security testing step in the pipeline that ensures the application is secure by default when used in production mode.
This was observed when a ZAP scan was implemented on a latest Docker image, which revealed 3 types of high security alert including, perhaps most notably lack of CSRF protection, on the latest codebase at time of posting this issue.
Although some static security tests have been implemented (which all pass), these use mock/test environments. The current lack of external security tests which run against a default production deployment means that the security status of the codebase, when deployed with defaults, is unknown/untested and therefore has to be presumed to be insecure.
To Reproduce Steps to reproduce the behaviour (eg. CSRF off by default):
Expected behaviour A deployment of a latest Docker image to production, should pass independent security testing by default.
Screenshots Current ZAP security report on a latest Docker deployment
Repository