Security related questions

[pacquiaowright]

I serve as a member of the Information Security Team for Burns & McDonnell. There has been a request by one or more of my colleagues to start using this tool, and I was looking for the best point of contact who would be open to answering a few security-related questions, thank you.

[Nice3point]

Hi @pacquiaowright what problems?

[jeremytammik]

dear @pacquiaowright , this is the point of contact right here. please raise your questions right here. thx.

[pacquiaowright]

Good day, I serve as a member of the Information Security Team at Burns & McDonnell (BMcD). I understand that there has been a request to evaluate the RevitLookup as a potential tool for use as a interactive Revit RFA and RVT project database exploration tool to view and navigate BIM element parameters, properties and relationships.

I'm looking to find documentation and/or someone from your team who can address these main points:

1. Who has access to BMcD data What I'm specifically focused on is who has access to data that BMcD considers private and/or client sensitive. For example, it appears that RevitLookup has a number of contributors, including many who may be outside the US. If BMcD data has the potential to be transmitted, processed or stored outside of our environment, we need to clearly understand how and where that data would be sent, transmitted, or accessed from outside our network, so we can then discuss and address how it would be protected accordingly.

2. Security controls in place, based on whether the application is cloud-based or a local install Can you help me better understand whether this plugin would be a local install or cloud based in some way? If this plugin is cloud-based, BMcD has a questionnaire with a list of questions that we require vendors of cloud-based applications to complete, see attached.

I also looked for information regarding the security features that come off the shelf by default, versus those features that are enabled or configured at the discretion of the customer. Since your code is on GitHub, to my best knowledge there are a number of security features that GitHub offers to help keep code and secrets secure in repositories and across organizations, see: https://docs.github.com/en/code-security/getting-started/github-security-features. Can you help us better understand which of these features have been enabled?

Also, if you have engaged a third party to conduct an independent examination, audit or testing of your security policies and controls against an industry-accepted framework (ISO 27001, OWASP, SOC 2, etc.), we would respectfully request an executive summary or cover letter documenting that review if possible.

3. Applicable terms & conditions and/or end user license agreement (EULA) I'd like to better understand what terms & conditions and/or end user license agreement would govern our use of the application. I am focused here on the potential licenses that BMcD would grant RevitLookup under your standard agreement language to data that BMcD and/or our clients would consider private or proprietary. I'd also like to understand which courts would govern or have jurisdiction over any disputes under the terms of your standard agreement.

4. Development timeline & roadmap I would also like to verify the development pipeline for this application. What is your strategy for supporting third-party integration requirements?

Once you can provide the additional info, if you would be open to a short call, I'd appreciate the chance to have a conference call with you and your relevant colleagues to discuss if necessary. I'd like to include other colleagues of mine as appropriate. If you have any questions, feel free to reach out to me directly.

Mike Monahan, CISSP, CPP \ Burns & McDonnell Third Party Cyber Risk Management \ GRC \ Corporate IT

From: Roman @.> Sent: Tuesday, March 26, 2024 6:34 PM To: jeremytammik/RevitLookup @.> Cc: Monahan, Michael @.>; Mention @.> Subject: Re: [jeremytammik/RevitLookup] Security related questions (Issue #207)

Hi @pacquiaowrighthttps://github.com/pacquiaowright what problems?

- Reply to this email directly, view it on GitHubhttps://github.com/jeremytammik/RevitLookup/issues/207#issuecomment-2021645641, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKCLVJ64RIGHCD4Q2FT4NMLY2IAVHAVCNFSM6AAAAABFJZL34SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRRGY2DKNRUGE. You are receiving this because you were mentioned.Message ID: @.**@.>>

[jeremytammik]

dear michael, none of the above is applicable to RevitLookup. It does not collect any data, it does not store any data, and it does not transfer any data anywhere. it works purely locally in real-time, enabling interactive navigation of the Revit BIM database and displaying results to the local user on the screen. in detail:

1. Who has access to BMcD data

nobody. the local user can view Revit BIM data on the screen, but nothing is stored, transferred, or made available to anyone else.

2. Security controls in place, based on whether the application is cloud-based or a local install

this is a local install.

3. Applicable terms & conditions and/or end user license agreement (EULA)

MIT license.

4. Development timeline & roadmap

no roadmap available. no support for third-party integration.

[pacquiaowright]

Thank you for the quick response.

If I may ask one follow-up question, I was hoping you could help me understand the security controls that have been enabled for the RevitLookup code repository in GitHub.

To illustrate what I'm referring to, if I may offer an example, here is a screenshot of a different GitHub repository that BMcD met with earlier this year. Would you be open to confirming which of the following policies are enabled for RevitLookup?

[A screenshot of a computer Description automatically generated]

Mike Monahan, CISSP, CPP \ Burns & McDonnell Third Party Cyber Risk Management \ GRC \ Corporate IT 9400 Ward Parkway \ Kansas City, MO 64114

Please consider the environment before printing this email.

This email and any attachments are solely for the use of the addressed recipients and may contain privileged client communication or privileged work product. If you are not the intended recipient and receive this communication, please contact the sender by phone at 816-333-9400, and delete and purge this email from your email system and destroy any other electronic or printed copies. Thank you for your cooperation.

From: Jeremy Tammik @.> Sent: Thursday, March 28, 2024 6:24 AM To: jeremytammik/RevitLookup @.> Cc: Monahan, Michael @.>; Mention @.> Subject: Re: [jeremytammik/RevitLookup] Security related questions (Issue #207)

dear michael, none of the above is applicable to RevitLookup. It does not collect any data, it does not store and data, and it does not transfer any data anywhere. it works purely locally in real-time, enabling interactive navigation of the Revit BIM database and displaying results to the local user on the screen. in detail:

1. Who has access to BMcD data

nobody. the local user can view Revit BIM data on the screen, but nothing is stored, transferred, or made available to anyone else.

1. Security controls in place, based on whether the application is cloud-based or a local install

this is a local install.

1. Applicable terms & conditions and/or end user license agreement (EULA)

MIT license.

1. Development timeline & roadmap

no roadmap available. no support for third-party integration.

- Reply to this email directly, view it on GitHubhttps://github.com/jeremytammik/RevitLookup/issues/207#issuecomment-2024953614, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKCLVJ6BT2OYUFJFYEAMRJTY2PVVXAVCNFSM6AAAAABFJZL34SVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRUHE2TGNRRGQ. You are receiving this because you were mentioned.Message ID: @.**@.>>

[jeremytammik]

i do not think this discussion has much sense. i also do not see any screen snapshot to refer to, just a description saying "[A screenshot of a computer Description automatically generated]". RevitLookup has no security relvant aspects that i am aware of, or at least no more than any other locally run desktop app, e.g., Windows Notepad app.

[pacquiaowright]

Jeremy, I apologize for the miscommunication on my part, I beg your pardon that the screen shot did not come through, please allow me to explain.

My understanding is GitHub makes extra security features available to customers under an Advanced Security license. These features are also enabled for public repositories on GitHub.com. About GitHub Advanced Security - GitHub Enterprise Cloud @./get-started/learning-about-github/about-github-advanced-security> (see: @./get-started/learning-about-github/about-github-advanced-security} (I updated this comment to add the full link, brackets added to break the functionality: https://docs.github[.]com/en/enterprise-cloud@latest/get-started/learning-about-github/about-github-advanced-security)

My question is whether you have enabled any of these features for RevitLookup, including but not limited to:

1. Code scanning - Search for potential security vulnerabilities and coding errors in your code using CodeQL or a third-party tool. For more information, see "About code scanning" and "About code scanning with CodeQL."

2. CodeQL CLI - Run CodeQL processes locally on software projects or to generate code scanning results for upload to GitHub Enterprise Cloud. For more information, see "About the CodeQL CLI."

3. Secret scanning - Detect secrets, for example keys and tokens, that have been checked into the repository. If push protection is enabled, GitHub also detects secrets when they are pushed to your repository. Secret scanning alerts for users and push protection are available and free of charge for all user-owned public repositories on GitHub.com. For more information, see "About secret scanning" and "Push protection for repositories and organizations."

4. Custom auto-triage rules - Help you manage your Dependabot alerts at scale. With custom auto-triage rules you have control over the alerts you want to ignore, snooze, or trigger a Dependabot security update for. For more information, see "About Dependabot alerts" and "Customizing auto-triage rules to prioritize Dependabot alerts."

5. Dependency review - Show the full impact of changes to dependencies and see details of any vulnerable versions before you merge a pull request. For more information, see "About dependency review."

Mike Monahan, CISSP, CPP \ Burns & McDonnell Third Party Cyber Risk Management \ GRC \ Corporate IT 9400 Ward Parkway \ Kansas City, MO 64114

This email and any attachments are solely for the use of the addressed recipients and may contain privileged client communication or privileged work product. If you are not the intended recipient and receive this communication, please contact the sender by phone at 816-333-9400, and delete and purge this email from your email system and destroy any other electronic or printed copies. Thank you for your cooperation.

From: Jeremy Tammik @.> Sent: Thursday, March 28, 2024 11:06 AM To: jeremytammik/RevitLookup @.> Cc: Monahan, Michael @.>; Mention @.> Subject: Re: [jeremytammik/RevitLookup] Security related questions (Issue #207)

i do not think this discussion has much sense. i also do not see any screen snapshot to refer to, just a description saying "[A screenshot of a computer Description automatically generated]". RevitLookup has no security relvant aspects that i am aware of, or at least no more than any other locally run desktop app, e.g., Windows Notepad app.

You are receiving this because you were mentioned.[https://github.com/notifications/beacon/AKCLVJYZTZBZQ7FJAB2OQPDY2QWUNA5CNFSM6AAAAABFJZL34SWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTYXPQLC.gif]Message ID: @.**@.>>

[jeremytammik]

please realise that this conversation feels like a huge waste of time to me. RevitLookup is open source, and you can analyse al of the aspects you ask about for yourself if you care. i don't know the details about all of the above, but my tendency would be to answer "no' to most or all of them. check it out for yourself if you care. it is all open for your inspection, afaik.

[pacquiaowright]

To my best knowledge, I am not able to view the settings above without the assistance of a Contributor such as yourself. If you or another Contributor who is familiar with these settings is able to respond I would appreciate it.

Please understand, I respect your time and the effort by you and all the contributors to make this a useful plugin that is in demand across the globe. I do not want to waste your time by any means. The purpose of my line of enquiry is so I can establish a level of confidence with my colleagues and our clients that the contributors for the RevitLookup plugin are following industry best practices with regards to the management of code security and vulnerabilities that could pose a threat to sensitive data if exploited by an adversary that does not have our best interests in mind.

[jeremytammik]

the best way to achieve the purpose you describe is to fork this directory, grab the code that is of use and interest to you, and create your own add-in from the paerts that you need. why trust a third party with anything whatsoever? i prefer to avoid doing so myself. :-)

[Nice3point]

RevitLookup does not contain any code that would violate the user's privacy. You won't find any known vulnerabilities here, we only use tested and reliable dependencies from Microsoft. These security questions don't make any sense, we don't collect metrics or other things

[pacquiaowright]

@jeremytammik and @Nice3point thank you both for your responses.

@jeremytammik I will investigate your suggestion. I appreciate your patience and consideration.

I'll close this comment for now. If I have additional questions, I'll open a new thread. Thank you both.