Skip to main content
Version: Next

Concept for Securitychecks and vulnerability management

The security ecosystem is designed to protect various components of the software stack, including:

Spring Boot Microservices: Java-based services that form the backbone of the backend infrastructure. Drupal CMS: A PHP-based content management system used for web content management. iOS Code: Mobile applications developed using Swift, designed for the Apple ecosystem. Android Code: Mobile applications developed using Kotlin, targeting the Android platform.

Continuous Integration and Deployment

Trivy Integration Trivy is integrated into the backend CI/CD pipeline (tekton) to scan for vulnerabilities in the container images, configuration files, and application dependencies. The process is as follows:

Alt text

Pre-Build Scanning: Before the build process, Trivy scans the existing codebase and dependencies for known vulnerabilities. Post-Build Scanning: After the build, Trivy re-scans the artifacts to ensure no new vulnerabilities have been introduced. Reporting: All findings are documented in a comprehensive report that includes vulnerability details, severity levels, and recommended fixes. This can also be accessed from bitbucket link which will take you to ArgoCD. Alt text

Alt text

(ArgoCD, a declarative, GitOps continuous delivery tool, is used to manage Kubernetes applications. It includes vulnerability analysis as part of the deployment process:)

Helm Chart Management The team is responsible for maintaining and updating Helm charts, which are used to define, install, and upgrade Kubernetes applications:

Action on Vulnerabilities: Upon receiving the vulnerability report, the team takes necessary actions to address the identified issues. Chart Updates: New Helm charts are published with the appropriate fixes to eliminate the reported vulnerabilities. Version Control: All changes to Helm charts are version-controlled to maintain a history of updates and fixes.

Waiver Process

In cases where a known vulnerability exists within the frameworks and an official fix is pending, a waiver process is implemented:

Waiver Request: The team can request a waiver for a specific vulnerability, providing justification and a risk assessment.

waiver request format

{
  "application_name": "example-app",
  "application_id": "8126fdb2b31746a6bf77a24707dce85a",
  "stage": "release",
  "timestamp": 1706636129768,
  "date": "2024-01-30T17:35:29.768000",
  "violations": [
    {
      "component": "org.apache.tomcat.embed : tomcat-embed-core : 10.1.16",
      "violation_id": "3b26cefc7eac4ae59da2b3b3029538d2",
      "threat_category": "LICENSE",
      "threat_level": 9,
      "is_grandfathered": false,
      "waivers": [
        {
          "waiver_id": "4e0657e8215646e39bec660e6a95c2ee",
          "policy_id": "058a7eaa9862496eb107dc46c9c738cc",
          "source_scope": "root_organization",
          "comment": "Wird nicht in die prop. SW eingebunden und ist nicht untrennbar verbunden",
          "create_time": "2023-11-14T12:42:29.638000+00:00",
          "expiry_time": null,
          "vulnerability_id": null,
          "creator_name": null
        }
      ]
    }
  ],
  "export_time": "2024-01-30T17:35:40.583670",
  "tool_version": "4.5.2"
}

Review and Approval: The waiver request is reviewed by the security team, and if deemed acceptable, it is approved. Documentation: Approved waivers are documented as part of the environmental release process. Please update/include the waiver with each upcoming release of the application (not in the helm-chart!), where the issue isn’t fixed. Once it is missing, the waiver will be deleted from system and the vulnerability will be reported again

SonarQube Security Checks

SonarQube is utilized for continuous inspection of code quality and security checks:

Code Analysis: SonarQube analyzes the source code for potential security hotspots and vulnerabilities. Quality Gates: Custom quality gates are set up to ensure that no new security risks are introduced into the codebase. Remediation Guidance: Developers receive guidance on how to fix detected issues, improving the overall security posture of the applications.

Application Penetration Testing

Penetration testing is conducted on both iOS and Android mobile applications and backend services to identify and address security weaknesses:

Testing Scope: The scope of the penetration testing includes authentication, session management, data encryption, and other critical security areas. Testing Methodology: A combination of automated tools and manual testing techniques is used to perform a thorough assessment. Reporting and Remediation: Findings from the penetration tests are documented in detailed reports, and remediation actions are taken to harden the mobile applications against attacks.

Sample report screen shots

  • Backend APIs Alt text

  • Mobile Applications Alt text