search

safe-paths-contrib / covid-safe-paths

COVID Safe Paths (based on Private Kit) is an open and privacy preserving system to use personal information to battle COVID
https://covidsafepaths.org
MIT License
1 stars 0 forks source link

Security Review #9

Closed philmui closed 4 years ago

kujenga commented 4 years ago

Update: Sam shares that it would be great to understand how the existing project can get up to speed on best practices and third party tools. This will be "need to have" pretty soon.

Paolo to setup meeting to review.

kujenga commented 4 years ago

Update: We now have a plan for making use of a captcha to reduce the potential for high-volume spam. This is part of the API

Certificate pinning/root certificates. Fiaz indicated a preference for pinning the CA authority. Probably out of scope for the next release. Root CA pinning might be feasible for the next release, depending on server strategy.

Working through decision on encryption of data at rest as well.

kujenga commented 4 years ago

Update: Paolo to connect with Fiaz for an update

kujenga commented 4 years ago

Update from Fiaz:

Then code review is under process. There is a team of three reviewers who are taking turns / splitting the code base to do the review for the mobile app. Will setup a different set of reviewers for backend server code, which I believe is not critical at the moment. I will update on their progress tomorrow.

kujenga commented 4 years ago

Update from Fiaz:

Standup update (have an ongoing conflict)

  • We have three security engineers reviewing covid-safe-paths code and working with the engineering team
  • I ran code analysis on the same code and detected google API credentials checked into the code. Raised an issue with Tim Stirrat who addressed it in this PR https://github.com/tripleblindmarket/covid-safe-paths/pull/695.
kujenga commented 4 years ago

Update: It will be okay to have the key in the source since it is properly restricted.

kujenga commented 4 years ago

Update:

Fiaz: Still waiting on final recommendations from the security team. Some tools have already been run against the codebase. There are other companies helping on this space.

Sam: Confirming that review process Salesforce is doing is different in goals.

Code review for @troach-sf happened as well

kujenga commented 4 years ago

Looking at using Snyk as well

kujenga commented 4 years ago

Last things here:

kujenga commented 4 years ago

Local testing complete for the encryption with no issues found!