Closed philmui closed 4 years ago
Update: We now have a plan for making use of a captcha to reduce the potential for high-volume spam. This is part of the API
Certificate pinning/root certificates. Fiaz indicated a preference for pinning the CA authority. Probably out of scope for the next release. Root CA pinning might be feasible for the next release, depending on server strategy.
Working through decision on encryption of data at rest as well.
Update: Paolo to connect with Fiaz for an update
Update from Fiaz:
Then code review is under process. There is a team of three reviewers who are taking turns / splitting the code base to do the review for the mobile app. Will setup a different set of reviewers for backend server code, which I believe is not critical at the moment. I will update on their progress tomorrow.
Update from Fiaz:
Standup update (have an ongoing conflict)
- We have three security engineers reviewing covid-safe-paths code and working with the engineering team
- I ran code analysis on the same code and detected google API credentials checked into the code. Raised an issue with Tim Stirrat who addressed it in this PR https://github.com/tripleblindmarket/covid-safe-paths/pull/695.
Update: It will be okay to have the key in the source since it is properly restricted.
Update:
Fiaz: Still waiting on final recommendations from the security team. Some tools have already been run against the codebase. There are other companies helping on this space.
Sam: Confirming that review process Salesforce is doing is different in goals.
Code review for @troach-sf happened as well
Looking at using Snyk as well
Last things here:
Local testing complete for the encryption with no issues found!
Update: Sam shares that it would be great to understand how the existing project can get up to speed on best practices and third party tools. This will be "need to have" pretty soon.
Paolo to setup meeting to review.