-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create security-assessment.md #235
Merged
Merged
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
0c3efe9
Create security-assessment.md
SSIRKC b192fde
Update security-assessment.md
SSIRKC 53b53c1
Update security-assessment.md
SSIRKC 135b2e4
Update security-assessment.md
SSIRKC b16e853
Merge branch 'main' into patch-1
SSIRKC fafd1b4
Merge branch 'main' into patch-1
SSIRKC de6ae9b
Merge branch 'main' into patch-1
SSIRKC File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| # Security Assessment PURIS (incl. Frontend, Backend Services, IAM and other infrastructure) | ||
|
|
||
| | Contact | Details | | ||
| | ------------------------- | ---------------------------------------------------------------------------------------------- | | ||
| | Contact for product | [@tom-rm-meyer-ISST](https://github.com/tom-rm-meyer-ISST) | | ||
| | Security responsible | [@SSIRKC](https://github.com/SSIRKC) <br> [@szymonkowalczykzf](https://github.com/szymonkowalczykzf) | | ||
| | Version number of product | 23.12 | | ||
| | Dates of assessment | 2023-12-11: Re-Assessment | | ||
| | Status of assessment | RE-ASSESSMENT DONE | | ||
|
|
||
| ## Product Description | ||
| Application Security review provides information about application design, architecture and current security state. | ||
| The Predictive Unit Real-Time Information System (PURIS) KIT provides the capabilities to exchange the production related information within a given relationship between two business partners such as the already available stock of the supplier, the current stock of the customer and the customer's demand. The aim is to help to mitigate potential and actual shortage scenarios. | ||
tom-rm-meyer-ISST marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| PURIS is the second of two components of the Demand and Capacity Management as approached by the Resiliency Kit: | ||
| A planning component forecasting its demands and capacities for the next months up to multiple years. | ||
tom-rm-meyer-ISST marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| An operationalization component verifying the demands and capacities of its actual production plan from today up to multiple weeks. | ||
|
|
||
|
|
||
| Within the Business Domain Resiliency, the Demand and Capacity Management (DCM) represents the planning and the PURIS represents the operationalization component. Considering a shorter time period in PURIS based on the production plan, results in more reliable information. | ||
| Generally, the Demand and Capacity Management needs a close cooperation between a company and its partners along the supply chain. | ||
| Within the value chain, each partner needs to plan his own production and relies on his customers' demand forecasts. The bullwhip effect describes the rising amplified deviation between orders to suppliers and sales to buyers along the value chain. The fluctuation rises from tier to tier. Using the latest production related information, you can mitigate the bullwhip effect for you and your partners within the value chain. | ||
|
|
||
| As a customer, you can verify the production related information of your partner so that you can identify potential shortages earlier with less effort and mitigate or resolve them spending less resources. | ||
| As a supplier, you can increase your production efficiency, e.g. by optimizing your batch size based on your customers' latest demands. | ||
|
|
||
| Currently the PURIS Application have 1 main functionality: | ||
| Customers can View and Manage Stocks in the app. | ||
| Additionally, functionality related to the fully functional Customer dashboard is currently under creation. | ||
tom-rm-meyer-ISST marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| The rest of the functionalities, especially the resiliency ones are currently not yet implemented and only planned for the further development & implementation for upcoming future. | ||
|
|
||
| ## Scope of the review | ||
| |ID | Component Description | | ||
| | ------------------------- | ------------------------- | | ||
| |1 | Vue User Interface (Frontend) | | ||
| |2 | Stock View Controller | | ||
| |3 | H2 Database | | ||
| |4 | Data Response Controller | | ||
| |5 | Data Request Controller | | ||
|
|
||
| ## Dataflow Diagram | ||
| To be added by @szymonkowalcyk | ||
|
|
||
| ## Vulnerabilities & Threats | ||
| | V001 | Lack of authentication & authorization mechanisms | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | PURIS IAM Policy | | ||
| | Before Mitigation | Impact: High, Likelihood: High, Risk: High | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | Authentication & authorization concept implemented. The front-end provides a Key Cloak integration. (C-X Central Identity Provider is in use.) Puris product may be accessed only by authenticated and authorized personnel, it restricts accessible views based on the client roles: PURIS_USER - common views related to short term information needs PURIS_ADMIN - EDC related views (may be used for debugging)| | ||
|
|
||
| | V002 | Lack of User session management controls, including token handling. That pose a security risk, that can lead to unauthorized access and session hijacking. | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | PURIS Product | | ||
| | Before Mitigation | Impact: High, Likelihood: High, Risk: High | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | Local implementation of KeyCloak was done. Token renewals are enforced for all Users. Token renewal was setup for 5 minutes. | | ||
|
|
||
| | V003 | Lack of Input Validation mechanisms implemented, that can lead to various security vulnerabilities related to injection attacks. | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | PURIS Product | | ||
| | Before Mitigation | Impact: High, Likelihood: High, Risk: High | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | Business Wise Validation was implemented. Input validation on controller level was implemented. Pattern validation on all fields and on entity level was implemented. | | ||
|
|
||
| | V004 | Lack of encryption for data in transit, that may expose sensitive data to the risk of interception and compromise. | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | PURIS Product | | ||
| | Before Mitigation | Impact: High, Likelihood: High, Risk: High | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | Product Team currently working on SSL. Team already implemented and enforce HTTPS for for the front end of the product.Additionally tom is able to serve the backend with spring configuration respectively.Guide was created on how to configure HTTPS with docker. There are currently some Cores issues that were detected and are being investigated, probably needs spring reconfiguration. It was fixed. Issues happened cause of self signed certificates. The issue is already solved. SSL was also already integrated to the Product. | | ||
tom-rm-meyer-ISST marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| | V005 | Lack of rate limiting on API level, that make API vulnerable for denial of service | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | PURIS Product | | ||
| | Before Mitigation | Impact: Medium, Likelihood: Medium, Risk: Medium | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | Implementation was currently postponed till all of the other High findings will be addressed. | | ||
|
|
||
| | V006 | Lack of logging and monitoring solution in place, that can hinder the detection of security incidents, performance issues and operational anomalies. | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | PURIS Product | | ||
| | Before Mitigation | Impact: Low, Likelihood: Medium, Risk: Medium | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | Application is already logging every information about : every call to the respective EDC's, actions related to the exchange of data between partners, all authentication & authorization data Logging enchantments were completed. | | ||
|
|
||
| | V007 | Encryption of confidential data at rest. | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | PURIS Product | | ||
| | Before Mitigation | Impact: High, Likelihood: Low, Risk: Medium | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | Will be addressed with lower priority due to severity. Goal is to show app is capable of processing the encrypted data. Remaining work is focused on testing those functionality with PostgreSQL DB. | | ||
|
|
||
| | V008 | Confirmed vulnerabilities with high severity for H2 Database. | | ||
| | ------------------------- | ------------------------- | | ||
| | Element | H2 DB | | ||
| | Before Mitigation | Impact: High, Likelihood: Medium, Risk: High | | ||
| | After Mitigation | Impact: Low, Likelihood: Low, Risk: Low | | ||
| | Mitigation | PostgreSQL DB has been implemented to the product. Status of implementation is already completed. | | ||
tom-rm-meyer-ISST marked this conversation as resolved.
Show resolved
Hide resolved
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security Assessment has been conducted for Release 24.03. Thus it is correct, isn't it? Just want to confirm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Tom, you need to schedule a new assessment for 24.03. This is only the migration to GitHub :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah ok, We didn't participate in R23.12 and therefore just wanted to be fast enough for R24.03. Also when talking about prioritization things have been postponed for R24.05.
But I can open a ticket so that we're in line again :)