Open rugk opened 3 years ago
Ein-Tim
commented
3 years ago https://www.coronawarn.app/en/#privacy under the point "Security" also says:
"Security assurance of application development through Secure Software Development Lifecycle, which includes among other things threat modeling and end-to-end risk assessment, security planning, security testing and penetration testing."
I didn't find a link to these threat modelings, etc. there neither.
dsarkar
commented
3 years ago @rugk @Ein-Tim You will find some documents on risk analysis on the main webpage under the section Data Privacy document and the annexes:
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1a.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1b.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage2.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage3.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage5.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage6.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage7.pdf
rugk
commented
3 years ago That's great and interesting, but not really a security audit from an external company...
dsarkar
commented
3 years ago @rugk I will try to get some info. Internal Tracking ID: EXPOSUREAPP-5956
Ein-Tim
commented
3 years ago Penetration test were also mentioned in https://dbtg.tv/cvid/7519454 at around minute 12.
rugk
commented
3 years ago FYI the BSI responded to some FOI („freedome of information”, IFG - Informationsfreiheitsgesetz) request and thus published some audits: https://fragdenstaat.de/anfrage/dokumente-zu-sicherheitsaudits-der-corona-warn-app/#nachricht-590020
Ein-Tim
commented
3 years ago The BSI responded to a question I asked them on Twitter, it's not planned to publish the security audits ("Eine Veröffentlichung der Berichte als solches ist aktuell nicht geplant.").
rugk
commented
3 years ago This is funny, because they actually did publish some of them in/via the FOI request above… :upside_down_face:
I asked them why they don't do this. :sweat_smile:
Ein-Tim
commented
3 years ago @rugk
Is the argument from the Twitter user a valid one? For me it sounds logically that they won't publish these audits because hackers then would know what doesn't work and can concentrate on other methods. But tbh I never read through a security audit so 🤷🏻♂️ And, on the other side, they are still reporting security flaws public here on GitHub, sooo. 😉
rugk
commented
3 years ago @Ein-Tim I already replied on Twitter but the TLDR is, as you also said: Of course do not publish unfixed/undisclosed vulnerabilities. As for fixed ones, however, there is – judging from the technical experience – no disadvantage/risk of just publishing it. Especially as they, as you noticed, are already somewhat public on GitHub.
heinezen
commented
3 years ago @rugk I've raised the issue again, this time as a feature request.
@Ein-Tim
Is the argument from the Twitter user a valid one? For me it sounds logically that they won't publish these audits because hackers then would know what doesn't work and can concentrate on other methods.
It goes against all security best pratices, so no, it isn't really valid.
Corona-Warn-App Open Source Team
Ein-Tim
commented
3 years ago @heinezen
Thank you for the explanation (and for rising this topic again)!
Ein-Tim
commented
2 years ago Is there any update available here? Will security audits be published directly on GitHub or is it necessary to request them via a FOI request?
Your Question
overview-security.mdAs far as I read the doc there, you seem to acknowledge to do (external?) security audits of your code etc.
I'm talking about technical security audits (code audits/blackbox or whitebox-like etc.), not GDPR/privacy analyses/statements etc.
Internal Tracking-ID: EXPOSUREAPP-8354