cwa-documentation icon indicating copy to clipboard operation
cwa-documentation copied to clipboard

Published 20 hours ago verified publisher icon corona-warn-app

Publish security audits

Open rugk opened this issue 3 years ago • 13 comments

Your Question

As far as I read the doc there, you seem to acknowledge to do (external?) security audits of your code etc.

  • Did you do so?
  • If so, could you publish the results? (with all vulnerabilities that are fixed, of course)

I'm talking about technical security audits (code audits/blackbox or whitebox-like etc.), not GDPR/privacy analyses/statements etc.

Internal Tracking-ID: EXPOSUREAPP-8354

rugk avatar Apr 08 '21 21:04 rugk

https://www.coronawarn.app/en/#privacy under the point "Security" also says:

"Security assurance of application development through Secure Software Development Lifecycle, which includes among other things threat modeling and end-to-end risk assessment, security planning, security testing and penetration testing."

I didn't find a link to these threat modelings, etc. there neither.

Ein-Tim avatar Apr 08 '21 22:04 Ein-Tim

@rugk @Ein-Tim You will find some documents on risk analysis on the main webpage under the section Data Privacy document and the annexes:

https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1a.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1b.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage2.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage3.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage5.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage6.pdf https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage7.pdf

dsarkar avatar Apr 10 '21 13:04 dsarkar

That's great and interesting, but not really a security audit from an external company...

rugk avatar Apr 10 '21 14:04 rugk

@rugk I will try to get some info. Internal Tracking ID: EXPOSUREAPP-5956

dsarkar avatar Apr 12 '21 15:04 dsarkar

Penetration test were also mentioned in https://dbtg.tv/cvid/7519454 at around minute 12.

Ein-Tim avatar May 07 '21 16:05 Ein-Tim

FYI the BSI responded to some FOI („freedome of information”, IFG - Informationsfreiheitsgesetz) request and thus published some audits: https://fragdenstaat.de/anfrage/dokumente-zu-sicherheitsaudits-der-corona-warn-app/#nachricht-590020

Dokumente_geschwrzt.zip

rugk avatar Jun 19 '21 16:06 rugk

The BSI responded to a question I asked them on Twitter, it's not planned to publish the security audits ("Eine Veröffentlichung der Berichte als solches ist aktuell nicht geplant.").

Ein-Tim avatar Jul 09 '21 14:07 Ein-Tim

This is funny, because they actually did publish some of them in/via the FOI request above… :upside_down_face:

I asked them why they don't do this. :sweat_smile:

rugk avatar Jul 09 '21 14:07 rugk

@rugk

Is the argument from the Twitter user a valid one? For me it sounds logically that they won't publish these audits because hackers then would know what doesn't work and can concentrate on other methods. But tbh I never read through a security audit so 🤷🏻‍♂️ And, on the other side, they are still reporting security flaws public here on GitHub, sooo. 😉

Ein-Tim avatar Jul 09 '21 18:07 Ein-Tim

@Ein-Tim I already replied on Twitter but the TLDR is, as you also said: Of course do not publish unfixed/undisclosed vulnerabilities. As for fixed ones, however, there is – judging from the technical experience – no disadvantage/risk of just publishing it. Especially as they, as you noticed, are already somewhat public on GitHub.

rugk avatar Jul 09 '21 19:07 rugk

@rugk I've raised the issue again, this time as a feature request.

@Ein-Tim

Is the argument from the Twitter user a valid one? For me it sounds logically that they won't publish these audits because hackers then would know what doesn't work and can concentrate on other methods.

It goes against all security best pratices, so no, it isn't really valid.

  1. You actually want people to know how to test these systems, otherwise no one could comprehend whether the issue is fixed or how severe the problem was in the first place. You cannot trust if something is secure if the methods to determine this are unknown.
  2. The chances that university/security researchers will find bugs and report them is much higher when they can base their work on previous audits
  3. The "evil guys" usually already have a fair bit of pentesting knowledge and don't need the help of an audit

Corona-Warn-App Open Source Team

heinezen avatar Jul 11 '21 15:07 heinezen

@heinezen

Thank you for the explanation (and for rising this topic again)!

Ein-Tim avatar Jul 11 '21 15:07 Ein-Tim

Is there any update available here? Will security audits be published directly on GitHub or is it necessary to request them via a FOI request?

Ein-Tim avatar Apr 18 '22 13:04 Ein-Tim