Our Security Implementation
We are responsible for the security of the DevOps Project. We have used the best security industry practices and ensure every other team to be in compliance with that.
Initially, We started understanding the system, its
component, and interactions between them. We spent a good
amount of time to holistically analyze the system to find
various threat vectors. Our focus was to build a robust
and secure infrastructure and hence we scope the web
application and Network infrastructure for our security
Web Application Penetration Testing
We configured ZAP on our local system which is the Web Application Vulnerability tool and pointed it to the Django. We ran an attack on the system to find any vulnerability. This tools produced a bunch of potential vulnerability which we shared with the development team along with mitigation technique to fix this.
Network Penetration Testing
For performing Network based penetration testing we followed the standard approach which involves mainly six steps.
- Vulnerability Detection
- Post Exploitation
We did not find any vulnerability with the application server hosting the django website. There were few XSS low level warnings which were conveyed to developers. While doing a network based security testing namely a black box testing of the infrastructure hosting the server, we found only port open was the port 80 and rest of the ports were either close and block by firewall. After analysing the service version, we did not see any vulnerability associated with it. So, we conluded the infrastructure was secure based on our testing artifacts.
Application Source Code Review
Our source code analysis found 8 low severity bugs in the Django based Quiz system. that were raised as issues in GitHub. These issues were promptly handled and appropriate measures were taken.
The following are the bugs that we discovered in the Quiz system:
- Additional files present in the repository Database credentials present in codebase Input validation missing in URL routing Default URL not specified for root directory Database Credentials are public DEBUG=True in prod Secret Key mentioned in source code
We also set up the GitHub app to track Issues as they are added to GitHub to be reported to a specific slack channel. This slack channel would be monitored by all teams involved in the development of the Quiz website.