shanduur
commented
3 months ago For scanning images I added both Grype and Trivy. Those two should be complementary, even though most of the time the results will be exactly the same between two. I think that’s enough for scanning during PRs. We should be also scanning latest release images nightly. Workflow should also create issues in case vulnerabilities were found.
When it comes to dependency management, I suggest using Dependabot for everything.
Context and Problem Statement
Security in software is crucial for safeguarding data, user privacy, and system integrity. It protects against unauthorized access, prevents data breaches, maintains user trust, ensures legal compliance, and mitigates financial risks.
Integrating security into the software development lifecycle is essential for creating resilient systems that can adapt to evolving cyber threats, ultimately contributing to the reliability and success of software applications.
At the beginning of each project developers should consider the approach to the security maintanance.
Considered Options
Key practices to help maintain security in a software project are:
Security by Design: security requirements, threat modeling, and risk assessments during the architectural planning. Threat modeling is a structured approach used in software development and system design to identify and evaluate potential security threats and vulnerabilities.
Regular code reviews: shouldn't we have 2 approved review to merge the PR?
Static Code Analysis:
golangci-linttool for scanning the codebase for potential security vulnerabilities.Dynamic Application Security Testing (DAST): perform dynamic testing on the running application to identify vulnerabilities that might not be apparent in the source code. Use DAST tools to simulate real-world attacks and assess the security posture of the application.
Dependency Scanning: scanning and monitoring third-party dependencies for known vulnerabilities. Using an open-source vulnerability scanners eg.
Trivy,Twistlock,Oval,ClamAV.Regular Updates and Patching: keeping all software components, including operating systems, frameworks, and third-party libraries, up to date with the latest security patches. Regularly apply updates to address known vulnerabilities.
dependabot,renovate?Authentication and Authorization: strong authentication and authorization mechanisms implementation. Use secure protocols and practices to protect user credentials and ensure that users have the appropriate permissions.
Data Encryption: sensitive data encryption during transmission and storage. Utilize encryption protocols such as TLS for securing communication and implement strong encryption algorithms for data at rest.
registry-operatorwill utilize credentails from secrets.Monitoring and Logging: covered in the https://github.com/registry-operator/adr/issues/2