Harden Kitodo.Production according to the OWASP Top 10

[matthias-ronge]

Description

Software security plays an increasingly important role. Legislators are increasingly obliging institutions to implement state-of-the-art software security. The OWASP Top 10 is a list of the top ten security risks, that web applications face. It is a guide to implement and maximize software security.

• This task consists of an analytical part in which a standardized installation of Production is to be checked (to the best of our knowledge and belief) for possible violations of the CVEs mentioned in the ten risks. Other developers should be given the chance to bring in their knowledge here.
• In a second part, measures should be put in place to remedy these violations or to avoid them as best as possible. The measures are to be taken in three areas:
  • programming,
  • modification of the example configuration, that is supplied with releases, and
  • documentation of necessary procedures during installation.

Examples:
Programming: A hard-coded encryption algorithm, which is known to be insecure, is swapped out for an algorithm that is currently considered secure.
Configuration: Removal of default default passwords from the example configuration.
Documentation: Explain how to set up an encrypted connection to the database during installation.

This task is intended to be the cornerstone for raising awareness of software security among developers and administrators, and based on this, for thinking about and maintaining software security even more in the future.

Related Issues

• Change the creation of a user in LDAP to upon login #4576
• CSRF protection is disabled #4611
• Reduce the error information in the login form to improve security #4769
• Abolish default accounts #4427
• KitodoServiceLoader dynamic class loading is not a plugin system #4548
• Rel 3.4.0 - Using Elasticsearch-Server with https and auth does not work #4851
• Improve security #5013

Expected Benefits of this Development

For both, directors and administrators, a security incident means that they have to sacrifice (often also leisure) time, and get a lot of extra work. They have to do painful communication, perform technical measures (like restoring a back-up), they may be interviewed by government agencies, may have to testify in court, or, at worst, are legally prosecuted. For sales, it is increasingly important to explain how software strives to meet software security requirements.

• Software with higher security makes attackers more likely to fail if they are unsuccessful for too long. This will better prevent security incidents.
• Should a security incident nevertheless occur, it is helpful to be able to demonstrate, that software used is secure to the best of knowledge and belief.

Estimated Costs and Complexity

Aiming for software security is a never-ending story, so I suggest to set a time limit on these points: I propose to allocate 5 days for each part of the work, so 10 days in total.

First part:

• Understand the 10 risks
• Questioning the application to potentially affected areas
• Documentation of problems that have become aware and unresolved detailed questions as Github issues
• Conducting an open online developer conference, presenting the results so far.
  • Documenting further issues that come from other developers.
• Prioritization of the problems found according to their urgency (may be supported by the community commenting on the issues)

Second part:

• Processing of found problems according to priority
• The aim of this work package is not that everything has to be solved.
• Possibly other developers, release management, or documentation management may be involved for some issues.

[solth]

Votes: 8