Golden Record / BPN Service Release 23.12 Security Acceptance Criteria

[kelaja]

Release Security 23.12

Source in Catena-X Confluence and Expert Contacts here(Source only accessible for Catena-X Consortia members in current transition phase).

• [x] Threat Modelling Analysis results Analysis completed (operations excluded):

  • List of risks generated or updated, rated & actions defined
  • Risks accepted or mitigation actions implemented and tested
  • no high threats acceptable

  Artifact Repository:

  • risk register (decentral on Catena-X confluence)

  Prime Contacts:

  • Security Team: SEC0

• [x] Static Application Security Testing (SAST)

  • code must be scanned weekly with Veracode tool
  • medium risks require mitigation statement
  • high and above not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (+ GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• [x] Dynamic Application Security Testing (DAST) incl API testing (if applicable)

  • all findings assessed
  • high & very high findings mitigated
  • evidence by re-scan

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • INVICTI tool

  Prime Contacts:

  • Security Team: SEC3 SEC4

• [x] Secret scanning Scan executed centrally by SEC team and ZERO valid findings

  Artifact Repository:

  • Veracode or alternative tool
  • GitHub Secret Scanning
  • GitGuardian

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Prime Contact:

  • Security Team: SEC1

• [x] Software Composition Analysis (SCA) Dependencies must be scanned with Veracode tool with regards to vulnerability

  • high and above not accepted
  • FOSS whitelist policy has to be passed

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Veracode UI
  • (& GitHub Action)

  Prime Contacts:

  • Security Team: SEC1

• [x] Container Scan conducted All containers in GitHub Packages must be scanned

  • High / Critical findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • Trivy
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

• [x] Infrastructure as Code IaC code must be scanned.

  • Error findings not accepted

  Best Practise:

  • Confirm relevant repository as early as possible to SEC team to enable regular, automated scans. Evidence required for Gate approval.

  Artifact Repository:

  • KICS or alternative tool
  • via nightly GitHub Action

  Prime Contacts:

  • Security Team: SEC2

[rybtim]

Threat Modelling Analysis results were updated within last release 23.09 https://confluence.catena-x.net/x/Cm1HAw. No significant changes. Next update is planned in 24.03 with the upcoming breaking change of the generic endpoint and the implementation of the orchestrator. @guenterban

[rybtim]

Static Application Security Testing (SAST): No high risks found can you check @PiotrStys

[rybtim]

Dynamic Application Security Testing (DAST): The pen environment was setup for 21.12.2023 @PiotrStys can you check

[rybtim]

Software Composition Analysis (SCA): No high findings @klaudiaZF @Gitleena

[rybtim]

Container Scan conducted: No high findings @scherersebastian can you confirm

[rybtim]

Infrastructure as Code: No high findings @scherersebastian please confirm

[PiotrStys]

@rybtim, can you please provide the updated URL of the deployment?

[guenterban]

@kelaja: Threat Modelling Analysis passed

[SujitMBRDI]

@rybtim, can you please provide the updated URL of the deployment?

Please find below links for deployed Pen environment https://argo.dev.demo.catena-x.net/applications/argocd/bpdm-pen?view=tree&resource= https://business-partners-pen.dev.demo.catena-x.net/companies/test-company/ui/swagger-ui/index.html https://business-partners-pen.dev.demo.catena-x.net/pool/ui/swagger-ui/index.html

@nicoprow EDIT: I removed the bridge link. Only Gate and Pool are relevant for Pen-Testing

[PiotrStys]

@SujitMBRDI, @rybtim Sorry but this is not clear enough to me.

Are those URLs alternative deployments and is this enough to scan one of them? I believe that so far we used the one below for assessments: https://business-partners-pen.dev.demo.catena-x.net/pool

Does that seem to work for this QG as well?

[klaudiaZF]

Hi @SujitMBRDI , can you please provide a link to project name in Veracode for SCA ?

[nicoprow]

@SujitMBRDI, @rybtim Sorry but this is not clear enough to me.

Are those URLs alternative deployments and is this enough to scan one of them? I believe that so far we used the one below for assessments: https://business-partners-pen.dev.demo.catena-x.net/pool

Does that seem to work for this QG as well?

The last time we had two scans: One for the pool and one for the test-company subpath. These two would need to be executed again:

[nicoprow]

Hi @SujitMBRDI , can you please provide a link to project name in Veracode for SCA ?

[klaudiaZF]

Hi All,

SCA passed

https://analysiscenter.veracode.com/auth/index.jsp#ReviewResultsSCA:47240:1405572:31074750:31044898:31060548:::::4421730:

[PiotrStys]

Hello,

No high/critical findings reported back by Invicti. Others have been reviewed and approved.

DAST Passed

Thanks, Piotr

[scherersebastian]

IaC/ KICS passed. Container trivys scans passed

[DnlZF]

Hi, there are no open GitGuardian findings:

-> Secret scanning approved

Best regards Daniel