Skip to content
This repository has been archived by the owner on Dec 4, 2024. It is now read-only.

There is no evaluation on security measures for our current infrastructure #91

Open
rmeissner opened this issue May 5, 2022 · 0 comments
Open

There is no evaluation on security measures for our current infrastructure #91

rmeissner opened this issue May 5, 2022 · 0 comments
Assignees
@luarx
Labels
infra

Comments

@rmeissner
Copy link
Member

rmeissner commented May 5, 2022
edited
Loading

Part 1: Define the problem

What problem are you trying to solve?

There are no documentation and evaluations for the current infrastructure setup on what security assumptions have been made and how we could improve them in the future.

What is your hypothesis?

Documenting this will allow us to act faster on upcoming security issues and constantly improve on this.

What value does this bring to our customer and/or our mission? What is the goal?

Increased security for our services and interfaces.

How do we measure it?

  • Possible periodic test described in the solution are ok
  • Downtimes per month due to attacks
  • Users that have suffered an attack

Links:

Part 2: Shaping the problem

Problem Owner

@luarx

Non Goal(s)

Solution

Overview
Security must be considered as a whole. As we have a final production (not a prototype) is our responsability to take care of this area.
For instance, if our smartcontracts are audited but a user who needs to transfer funds urgently (bear market maybe?) can't do it because the interface/service is down, we are not meeting the expectations.

For that reason, all of our teams must consider security when they are working instead of implementing security measures at the end of the process (https://en.wikipedia.org/wiki/Software_development_security).

Analysis:

  • Backend team
    • They should create a document where known attack vectors are defined and possible solutions (permantent and temporal)
  • Devops team
    • They should create a document where known attack vectors are defined and possible solutions (permantent and temporal)

Solutions can be:

  • To fix known issues:
    • Software/Infrastructure changes
  • To discover present/future issues:
    • Automatic security tools (Github repos, docker images vulnerabilities...). Periodically
    • External pentesting company. Periodically
  • To integrate security phases in the developing process
    • Employees who are lack of security knowledge should do some courses regarding security + development

Rough Scoping & Timeline
Risk(s), Key Trade Offs & Decisions

Alternative solutions & ideas

Open Questions
@rmeissner rmeissner added the infra label May 5, 2022
@rmeissner rmeissner changed the title There is evaluation on security measures for our current infrastructure There is no evaluation on security measures for our current infrastructure May 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@luarx luarx

Labels
infra
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rmeissner @luarx