22 June 2021
Update 2022: In 2022, the focus was on completing the Security Matrix, its supporting documents (descriptions) and creating/documenting the process for (re)creating new and updated versions of the Delft-FEWS Security Factsheet. This factsheet is the merger of the security matrix (image) containing 10 Delft-FEWS components and 12 security aspects. Each of these 120 cells in the matrix has its own description. For easy maintenance, the descriptions are kept in an Excel document which is (mail) merged with other contributing documents resulting in an official Deltares style document. During processing a backlog of security issues was collected. At the same time new security aspects around secure coding were identified which will be in scope for the next year(s). At the end of 2022, agreements were in place to transfer the lead of this roadmap theme from Gert-Jan Schotmeijer to Gerben Boot. The OWASP vulnerability scan runs on our code on a daily basis. Based on the output, third party libraries are upgraded, and all of these actions are now reported in the Release Notes. For severe vulnerabilities which require action a procedure has been drafted and will be finalized in Q1 of 2023.
In 2021 a security matrix was created to visualize all security options per Delft-FEWS component. For all 10 components (Forecasting Shell Server, Master Controller, Database, Admin Interface, Operator Client, Configuration Manager, Archive Server, Database Proxy, FEWS Web Service and Datafeeds) security aspects with respect to 5 domains were assessed and visualized.
The aspects are:
Network Security (Encrypted Network Traffic, Port Security, Access to Delft-FEWS component)
Access Management (MFA, Role Based Access, Access User, OpenID Connect options)
Threat Protection (Access Audit Trail, Change Audit Trail, Session Time-out)
Data (Encrypted Storage)
The outcome of the assessment is that the majority of security aspects is already covered by the latest release of Delft-FEWS. To cover the security aspects which did not fully pass the assessment, small developments are planned for 2022.
We also respond quickly to our daily checks with respect to OWASP messages (OWASP=Open Web Application Security Project) which runs on our build & test environment (TeamCity)
In 2022, we continue learning from our ongoing cloud (migration) projects. These projects are focusing on the up- and downscaling of computational cores using docker containers and switching components on/off from a financial perspective. These external parallel projects are not managed from a roadmap perspective but they explicitly contribute to our cloud knowledge and expertise. From a knowledge sharing perspective we will capture these experiences in our documentation WIKI and we will complete the documentation based on the material(s) we previously shared in the "Delft-FEWS in the cloud" webinar (from January 2022).
Expected effort in 2022: ±40 days
Main contact for this roadmap theme is: Gerben Boot
Update 2021Regarding security, an OWASP top-10 check has been added to our compile & build servers. This means that all third-party libraries in use by Delft-FEWS are assessed for vulnerabilities on a daily basis. An alarm was triggered well in the recent "Log4J" event and we acted accordingly. Our conclusion was that this vulnerability was not directly affecting the Delft-FEWS software itself. For Open Archive users it was necessary to take measures. To rule out any doubts, we decided to publish new and updated package for all supported versions of Delft-FEWS. This public page describes the impact and this page contains the necessary and optional steps to deploy one of these versions (wiki login required). We expect to publish the Delft-FEWS security Principles and Guidelines for our clients soon. For interested stakeholders and potential clients we have compiled them in management summary.
In addition to the security aspects that already have our attention in developing, deploying and maintaining Delft-FEWS, we will focus in 2021 on (i) role based access, (ii) encrypted data and connections and (iii) the management of third party libraries.
Like any other software package, security principles and guidelines must be applied. These will be available in two documents and delivered this year.