# V19 Configuration

Configuration TBD

ID Detailed Verification Requirement Level 1 Level 2 Level 3 Since
19.1 All components should be up-to-date with proper security configuration(s) and version(s). This should include removal of unneeded configurations and folders such as sample applications, platform documentation, and default or example users. x x x 3.0
19.2 Communications between components, such as between the application server and the database server, should be encrypted, particularly when the components are in different containers or on different systems. x x 3.0
19.3 Communications between components, such as between the application server and the database server should be authenticated using an account with the least necessary privileges. x x 3.0
19.4 Verify application deployments are adequately sandboxed, containerized or isolated to delay and deter attackers from attacking other applications. x x 3.0
19.5 Verify that the application build and deployment processes are performed in a secure fashion. x x 3.0
19.6 Verify that authorised administrators have the capability to verify the integrity of all security-relevant configurations to ensure that they have not been tampered with. x 3.0
19.7 Verify that all application components are signed. x 3.0
19.8 Verify that third party components come from trusted repositories. x 3.0
19.9 Ensure that build processes for system level languages have all security flags enabled, such as ASLR, DEP, and security checks. x 3.0
19.10 Verify that all application assets are hosted by the application, such as JavaScript libraries, CSS stylesheets and web fonts are hosted by the application rather than rely on a CDN or external provider. x 3.0.1

# 19.1

All components are kept up to date. There are multiple scanners and checks in place to check for security vulnerabilities.

# 19.2

All traffic between components is encrypted. It's in general the administrator's responsibility to use e.g. encryption for the Database connection. Psono.pw is configured correctly.

# 19.3

Application wise there is no requirement that would prevent this. In general it is the administrators to use a user with the least necessary privileges. Psono.pw is configured correctly.

# 19.4

Application deployments are completely sandboxed with Gitlab Runner.

# 19.5

Build and deployment process is performed in a secure environment with manually approval.

# 19.6 (violation)

Containers are currently not signed.

# 19.7 (violation)

Containers are currently not signed.

# 19.8

Components come from trusted sources as far as it is possible in the open source field with public package repositories.

# 19.9

Python enabled ASLR and DEP since Python 3.4

# 19.10

All assets are hosted by the application and not on a CDN or external provider.