From 0c3efe96dc8122bb0213c50794d732a916a74531 Mon Sep 17 00:00:00 2001
From: SSIRKC <115729451+SSIRKC@users.noreply.github.com>
Date: Fri, 2 Feb 2024 10:40:09 +0100
Subject: [PATCH 1/4] Create security-assessment.md
Initiation
---
docs/security-assessment.md | 39 +++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 docs/security-assessment.md
diff --git a/docs/security-assessment.md b/docs/security-assessment.md
new file mode 100644
index 00000000..7dfa7b32
--- /dev/null
+++ b/docs/security-assessment.md
@@ -0,0 +1,39 @@
+# Security Assessment PURIS (incl. Frontend, Backend Services, IAM and other infrastructure)
+
+| | |
+| ------------------------- | ---------------------------------------------------------------------------------------------- |
+| Contact for product | [@tom-rm-meyer-ISST](https://github.com/tom-rm-meyer-ISST) |
+| Security responsible | [@SSIRKC](https://github.com/SSIRKC)
[@szymonkowalczykzf](https://github.com/szymonkowalczykzf) |
+| Version number of product | 23.12 |
+| Dates of assessment | 2023-12-11: Re-Assessment |
+| Status of assessment | RE-ASSESSMENT DONE |
+
+## Product Description
+Application Security review provides information about application design, architecture and current security state.
+The Predictive Unit Real-Time Information System (PURIS) KIT provides the capabilities to exchange the production related information within a given relationship between two business partners such as the already available stock of the supplier, the current stock of the customer and the customer's demand. The aim is to help to mitigate potential and actual shortage scenarios.
+
+PURIS is the second of two components of the Demand and Capacity Management as approached by the Resiliency Kit:
+A planning component forecasting its demands and capacities for the next months up to multiple years.
+An operationalization component verifying the demands and capacities of its actual production plan from today up to multiple weeks.
+
+
+Within the Business Domain Resiliency, the Demand and Capacity Management (DCM) represents the planning and the PURIS represents the operationalization component. Considering a shorter time period in PURIS based on the production plan, results in more reliable information.
+Generally, the Demand and Capacity Management needs a close cooperation between a company and its partners along the supply chain.
+Within the value chain, each partner needs to plan his own production and relies on his customers' demand forecasts. The bullwhip effect describes the rising amplified deviation between orders to suppliers and sales to buyers along the value chain. The fluctuation rises from tier to tier. Using the latest production related information, you can mitigate the bullwhip effect for you and your partners within the value chain.
+
+As a customer, you can verify the production related information of your partner so that you can identify potential shortages earlier with less effort and mitigate or resolve them spending less resources.
+As a supplier, you can increase your production efficiency, e.g. by optimizing your batch size based on your customers' latest demands.
+
+Currently the PURIS Application have 1 main functionality:
+Customers can View and Manage Stocks in the app.
+Additionally, functionality related to the fully functional Customer dashboard is currently under creation.
+The rest of the functionalities, especially the resiliency ones are currently not yet implemented and only planned for the further development & implementation for upcoming future.
+
+## Scope of the review
+|ID | Component Description |
+| ------------------------- | ------------------------- |
+|1 | Vue User Interface (Frontend) |
+|2 | Stock View Controller |
+|3 | H2 Database |
+|4 | Data Response Controller |
+|5 | Data Request Controller |
From b192fdeeb431681a058b43fc00c355fd79f64b11 Mon Sep 17 00:00:00 2001
From: SSIRKC <115729451+SSIRKC@users.noreply.github.com>
Date: Fri, 2 Feb 2024 11:45:24 +0100
Subject: [PATCH 2/4] Update security-assessment.md
Added scope of the review
---
docs/security-assessment.md | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/docs/security-assessment.md b/docs/security-assessment.md
index 7dfa7b32..b6754878 100644
--- a/docs/security-assessment.md
+++ b/docs/security-assessment.md
@@ -1,6 +1,6 @@
# Security Assessment PURIS (incl. Frontend, Backend Services, IAM and other infrastructure)
-| | |
+| Contact | Details |
| ------------------------- | ---------------------------------------------------------------------------------------------- |
| Contact for product | [@tom-rm-meyer-ISST](https://github.com/tom-rm-meyer-ISST) |
| Security responsible | [@SSIRKC](https://github.com/SSIRKC)
[@szymonkowalczykzf](https://github.com/szymonkowalczykzf) |
@@ -37,3 +37,7 @@ The rest of the functionalities, especially the resiliency ones are currently n
|3 | H2 Database |
|4 | Data Response Controller |
|5 | Data Request Controller |
+
+# Vulnerabilities & Threats
+| V001 | Lack of authentication & authorization mechanisms |
+| ------------------------- | ------------------------- |
From 53b53c1530d23191fe9cfbbc559117f580be983d Mon Sep 17 00:00:00 2001
From: SSIRKC <115729451+SSIRKC@users.noreply.github.com>
Date: Fri, 2 Feb 2024 14:10:39 +0100
Subject: [PATCH 3/4] Update security-assessment.md
Finalisation of assessment. DF to be added by Szymon later after pull request.
---
docs/security-assessment.md | 58 ++++++++++++++++++++++++++++++++++++-
1 file changed, 57 insertions(+), 1 deletion(-)
diff --git a/docs/security-assessment.md b/docs/security-assessment.md
index b6754878..f337579b 100644
--- a/docs/security-assessment.md
+++ b/docs/security-assessment.md
@@ -38,6 +38,62 @@ The rest of the functionalities, especially the resiliency ones are currently n
|4 | Data Response Controller |
|5 | Data Request Controller |
-# Vulnerabilities & Threats
+## Dataflow Diagram
+To be added by @szymonkowalcyk
+
+## Vulnerabilities & Threats
| V001 | Lack of authentication & authorization mechanisms |
| ------------------------- | ------------------------- |
+| Element | PURIS IAM Policy |
+| Before Mitigation | Impact: High, Likelihood: High, Risk: High |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | Authentication & authorization concept implemented. The front-end provides a Key Cloak integration. (C-X Central Identity Provider is in use.) Puris product may be accessed only by authenticated and authorized personnel, it restricts accessible views based on the client roles: PURIS_USER - common views related to short term information needs PURIS_ADMIN - EDC related views (may be used for debugging)|
+
+| V002 | Lack of User session management controls, including token handling. That pose a security risk, that can lead to unauthorized access and session hijacking. |
+| ------------------------- | ------------------------- |
+| Element | PURIS Product |
+| Before Mitigation | Impact: High, Likelihood: High, Risk: High |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | Local implementation of KeyCloak was done. Token renewals are enforced for all Users. Token renewal was setup for 5 minutes. |
+
+| V003 | Lack of Input Validation mechanisms implemented, that can lead to various security vulnerabilities related to injection attacks. |
+| ------------------------- | ------------------------- |
+| Element | PURIS Product |
+| Before Mitigation | Impact: High, Likelihood: High, Risk: High |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | Business Wise Validation was implemented. Input validation on controller level was implemented. Pattern validation on all fields and on entity level was implemented. |
+
+| V004 | Lack of encryption for data in transit, that may expose sensitive data to the risk of interception and compromise. |
+| ------------------------- | ------------------------- |
+| Element | PURIS Product |
+| Before Mitigation | Impact: High, Likelihood: High, Risk: High |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | Product Team currently working on SSL. Team already implemented and enforce HTTPS for for the front end of the product.Additionally tom is able to serve the backend with spring configuration respectively.Guide was created on how to configure HTTPS with docker. There are currently some Cores issues that were detected and are being investigated, probably needs spring reconfiguration. It was fixed. Issues happened cause of self signed certificates. The issue is already solved. SSL was also already integrated to the Product. |
+
+| V005 | Lack of rate limiting on API level, that make API vulnerable for denial of service |
+| ------------------------- | ------------------------- |
+| Element | PURIS Product |
+| Before Mitigation | Impact: Medium, Likelihood: Medium, Risk: Medium |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | Implementation was currently postponed till all of the other High findings will be addressed. |
+
+| V006 | Lack of logging and monitoring solution in place, that can hinder the detection of security incidents, performance issues and operational anomalies. |
+| ------------------------- | ------------------------- |
+| Element | PURIS Product |
+| Before Mitigation | Impact: Low, Likelihood: Medium, Risk: Medium |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | Application is already logging every information about : every call to the respective EDC's, actions related to the exchange of data between partners, all authentication & authorization data Logging enchantments were completed. |
+
+| V007 | Encryption of confidential data at rest. |
+| ------------------------- | ------------------------- |
+| Element | PURIS Product |
+| Before Mitigation | Impact: High, Likelihood: Low, Risk: Medium |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | Will be addressed with lower priority due to severity. Goal is to show app is capable of processing the encrypted data. Remaining work is focused on testing those functionality with PostgreSQL DB. |
+
+| V008 | Confirmed vulnerabilities with high severity for H2 Database. |
+| ------------------------- | ------------------------- |
+| Element | H2 DB |
+| Before Mitigation | Impact: High, Likelihood: Medium, Risk: High |
+| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
+| Mitigation | PostgreSQL DB has been implemented to the product. Status of implementation is already completed. |
From 135b2e44eaa58a2c77837e81b8c55bb1f8783149 Mon Sep 17 00:00:00 2001
From: SSIRKC <115729451+SSIRKC@users.noreply.github.com>
Date: Mon, 5 Feb 2024 10:43:29 +0100
Subject: [PATCH 4/4] Update security-assessment.md
Updated according to the requests.
---
docs/security-assessment.md | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/docs/security-assessment.md b/docs/security-assessment.md
index f337579b..ec7b15fd 100644
--- a/docs/security-assessment.md
+++ b/docs/security-assessment.md
@@ -10,11 +10,11 @@
## Product Description
Application Security review provides information about application design, architecture and current security state.
-The Predictive Unit Real-Time Information System (PURIS) KIT provides the capabilities to exchange the production related information within a given relationship between two business partners such as the already available stock of the supplier, the current stock of the customer and the customer's demand. The aim is to help to mitigate potential and actual shortage scenarios.
+The Predictive Unit Real-Time Information System (PURIS) provides the capabilities to exchange the production related information within a given relationship between two business partners such as the already available stock of the supplier, the current stock of the customer and the customer's demand. The aim is to help to mitigate potential and actual shortage scenarios.
PURIS is the second of two components of the Demand and Capacity Management as approached by the Resiliency Kit:
-A planning component forecasting its demands and capacities for the next months up to multiple years.
-An operationalization component verifying the demands and capacities of its actual production plan from today up to multiple weeks.
+* A planning component forecasting its demands and capacities for the next months up to multiple years.
+* An operationalization component verifying the demands and capacities of its actual production plan from today up to multiple weeks.
Within the Business Domain Resiliency, the Demand and Capacity Management (DCM) represents the planning and the PURIS represents the operationalization component. Considering a shorter time period in PURIS based on the production plan, results in more reliable information.
@@ -25,9 +25,9 @@ As a customer, you can verify the production related information of your partner
As a supplier, you can increase your production efficiency, e.g. by optimizing your batch size based on your customers' latest demands.
Currently the PURIS Application have 1 main functionality:
-Customers can View and Manage Stocks in the app.
-Additionally, functionality related to the fully functional Customer dashboard is currently under creation.
-The rest of the functionalities, especially the resiliency ones are currently not yet implemented and only planned for the further development & implementation for upcoming future.
+* Customers can View and Manage Stocks in the app.
+* Additionally, adminsitrative views for the edc are in place. Also functionality related to the fully functional Customer dashboard is currently under creation.
+* The rest of the functionalities, especially the resiliency ones are currently not yet implemented and only planned for the further development & implementation for upcoming future.
## Scope of the review
|ID | Component Description |
@@ -68,7 +68,7 @@ To be added by @szymonkowalcyk
| Element | PURIS Product |
| Before Mitigation | Impact: High, Likelihood: High, Risk: High |
| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
-| Mitigation | Product Team currently working on SSL. Team already implemented and enforce HTTPS for for the front end of the product.Additionally tom is able to serve the backend with spring configuration respectively.Guide was created on how to configure HTTPS with docker. There are currently some Cores issues that were detected and are being investigated, probably needs spring reconfiguration. It was fixed. Issues happened cause of self signed certificates. The issue is already solved. SSL was also already integrated to the Product. |
+| Mitigation | Product Team currently working on SSL. Team already implemented and enforce HTTPS for the front end of the product. Additionally, the admin guide explains how to serve the backend with spring configuration. It also includes configuration of HTTPS with docker. Guide was created on how to configure HTTPS with docker. There are currently some Cores issues that were detected and are being investigated, probably needs spring reconfiguration. It was fixed. Issues happened cause of self signed certificates. The issue is already solved. SSL was also already integrated to the Product. |
| V005 | Lack of rate limiting on API level, that make API vulnerable for denial of service |
| ------------------------- | ------------------------- |
@@ -93,7 +93,7 @@ To be added by @szymonkowalcyk
| V008 | Confirmed vulnerabilities with high severity for H2 Database. |
| ------------------------- | ------------------------- |
-| Element | H2 DB |
+| Element | Hyper SQL DB (hsqldb) |
| Before Mitigation | Impact: High, Likelihood: Medium, Risk: High |
| After Mitigation | Impact: Low, Likelihood: Low, Risk: Low |
-| Mitigation | PostgreSQL DB has been implemented to the product. Status of implementation is already completed. |
+| Mitigation | PostgreSQL DB has been implemented to the product. Status of implementation is already completed. Additionally: We don't include it in compile, but in test scope so that we have easy testing but security when deploying. |