Set up vulnrelay (vulnerability scanning) #207
Conversation
olzhasar-reef
force-pushed
the
vulnrelay
branch
from
89eb8c2 to
5dbb624
Compare
| @@ -0,0 +1,5 @@ | |||
| ENV=prod | |||
| DD_URL= | |||
There was a problem hiding this comment.
let's add the default url here
There was a problem hiding this comment.
I don't think exposing urls of our infrastructure services in the open source repository is a good idea
There was a problem hiding this comment.
okay maybe let's leave a hint where to look
There was a problem hiding this comment.
Added a link to the internal handbook in the README_AWS
| @@ -0,0 +1,5 @@ | |||
| ENV=prod | |||
There was a problem hiding this comment.
this is only used by the dsn, right? what's the idea here? to use the same dsn as the project? if so then the ENV should default to vulnrelay-prod.
There was a problem hiding this comment.
The idea was to use the same sentry project for all servers, but use the environment field to differentiate between them.
And the environment is being constructed from DD_PRODUCT and ENV:
environment = f"{settings.DD_PRODUCT} - {settings.ENV}"
There was a problem hiding this comment.
using the same dsn for all project is a security risk. I'd rather have them separate, even if separated from the project's DSN
There was a problem hiding this comment.
I don't get it, how exactly are multiple sentry DSNs safer than a single one?
When it comes to various bugs that may arise in production, having all of them in a single place seems much more convenient to manage. Also, creating a separate sentry setup for each new project we ship can be daunting.
There was a problem hiding this comment.
the security risk is: if one DSN gets compromised a malicious actor can spawn errors for all nodes, and cycling the DSN would require changing configs of all deployments. If creating projects is troubling then it is a problem we can solve with a steady supply of evaluation candidates - sentry API allows for creation of projects. It could be a part of CADM or whatever.
| ENV=prod | ||
| DD_URL= | ||
| DD_API_KEY= | ||
| DD_PRODUCT= |
There was a problem hiding this comment.
this is not explained, there should be a mention of the convention: product=client_server_group
There was a problem hiding this comment.
That's a good point, but I was thinking this should be somewhere in our internal handbook in the relevant section about vulnerabilities management. Here we just referring to whatever was created in DefectDojo. Wdyt?
There was a problem hiding this comment.
I'm not sure, leaving it in another place is gonna be gelpful, people will just forget about it
There was a problem hiding this comment.
Added some clarifying comments to the .env file
olzhasar-reef
force-pushed
the
vulnrelay
branch
from
4af8dc2 to
42d2c08
Compare
olzhasar-reef
force-pushed
the
vulnrelay
branch
from
42d2c08 to
88300d2
Compare
No description provided.