Evaluate (and, if necessary, improve) security

[renatobellotti]

The following areas should be covered. Altogether, we need to establish a full CI/CD stack to guarantee security in the future by automating testing, updating and deployment.

Security of the host system:

• Establish practice to regularly update the system
• Fix Let's-Encrypt automatic certifitcate renewal
• Run a full portscan, service discovery etc.
• Harden the system: Uninstall unneeded packages and services
• Get docker from the official Debian repository, if it is available from there in the meantime
• Check permissions of important filesystem locations
• Check configuration of SSH
• Other things to consider?

  Docker:

• Check if docker engine is configured securely
• Check if containers only have minimal permissions
• Check for suspicious images/containers
• Consider using a benchmark tool, e. g. https://github.com/docker/docker-bench-security

  Image

• Install only packages that are needed now (remove packages needed in earlier versions of the website)
• Establish a workflow that updates the containers and the underlying base images on a regular schedule
• Build one single image for the production environment:
  • no need to pull a git repo
  • every update should also include an update of the base images

    Source code

• Update Python package dependencies (see #80)
• Write unit tests to make sure that updates don't break any dependencies
• Check configuration of the website

[renatobellotti]

Thoughts about this:

• The next version of the image should not expose the database to the Internet in order to reduce possible attack vectors.
• The image should be built and deployed on a regular basis in order to include the latest security patches.