Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Create plugins for opportunity & opportunity_role #25

Closed
wants to merge 6 commits into from
Closed

[WIP] Create plugins for opportunity & opportunity_role #25

wants to merge 6 commits into from

Conversation

maeken
Copy link

@maeken maeken commented Mar 6, 2024
edited
Loading

What

Are all connections created by the plugin secure?

  • Does it opt secure communication standard? Such as HTTPS, SSH, SFTP, SMTP STARTTLS. If not check with CISO to decide we can deploy the plugin.
  • Does support both authentication and encryption appropriately? Such as: "just encrypting without authentication" that is insecure.

Does the plugin connect only to its expected external site which the customer explicitly set in their config file?

  • Does NOT connect unexpected external site and our internal endpoints? Such as: “v3/job/:id/set_started” callback endpoint.

Does NOT the plugin persist any customers' private information? Identify the private information beforehand.

  • Does NOT include them in (temporary) files?
  • Does NOT include them in log messages and exception messages?

What kind of environments does the plugin interact with?

  • Does NOT execute any shell command?
  • Does NOT read any files on the running instance? Such as: "/etc/passwords". It’s ok to read temporary files that the plugin wrote.
  • Does use to create temporary files by spi.TempFileSpace utility to avoid the conflict of the file names.
  • Does NOT get environment variables or JVM system properties at runtime? Such as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in environment variables

Does NOT the plugin use insecure libraries?

  • Line up all depending library so that we can identify the impact of security incident of those library if any.
  • Check libraries usage of the plugin; all security check list must apply to the library usages. Such as "Are all connections created by the library secure?"

Does NOT the plugin source code repository contain kinds of credentials

  • API keys
  • Passwords

Make sure to free up all resources allocated during Embulk transaction “committing” or “rolling back”or before.

  • Network (connections, pooled connections)
  • Memory (cache in static variables)
  • File (temporary files)
  • CPU (threads, processes)

@maeken maeken self-assigned this Mar 6, 2024
@maeken maeken closed this Mar 11, 2024
@maeken maeken deleted the 22364-oppotunity-plugins branch March 11, 2024 01:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@maeken maeken

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@maeken