# V19 Configuration
Configuration TBD
ID | Detailed Verification Requirement | Level 1 | Level 2 | Level 3 | Since |
---|---|---|---|---|---|
19.1 | All components should be up-to-date with proper security configuration(s) and version(s). This should include removal of unneeded configurations and folders such as sample applications, platform documentation, and default or example users. | x | x | x | 3.0 |
19.2 | Communications between components, such as between the application server and the database server, should be encrypted, particularly when the components are in different containers or on different systems. | x | x | 3.0 | |
19.3 | Communications between components, such as between the application server and the database server should be authenticated using an account with the least necessary privileges. | x | x | 3.0 | |
19.4 | Verify application deployments are adequately sandboxed, containerized or isolated to delay and deter attackers from attacking other applications. | x | x | 3.0 | |
19.5 | Verify that the application build and deployment processes are performed in a secure fashion. | x | x | 3.0 | |
19.6 | Verify that authorised administrators have the capability to verify the integrity of all security-relevant configurations to ensure that they have not been tampered with. | x | 3.0 | ||
19.7 | Verify that all application components are signed. | x | 3.0 | ||
19.8 | Verify that third party components come from trusted repositories. | x | 3.0 | ||
19.9 | Ensure that build processes for system level languages have all security flags enabled, such as ASLR, DEP, and security checks. | x | 3.0 | ||
19.10 | Verify that all application assets are hosted by the application, such as JavaScript libraries, CSS stylesheets and web fonts are hosted by the application rather than rely on a CDN or external provider. | x | 3.0.1 |
# 19.1
All components are kept up to date. There are multiple scanners and checks in place to check for security vulnerabilities.
# 19.2
All traffic between components is encrypted. It's in general the administrator's responsibility to use e.g. encryption for the Database connection. Psono.pw is configured correctly.
# 19.3
Application wise there is no requirement that would prevent this. In general it is the administrators to use a user with the least necessary privileges. Psono.pw is configured correctly.
# 19.4
Application deployments are completely sandboxed with Gitlab Runner.
# 19.5
Build and deployment process is performed in a secure environment with manually approval.
# 19.6 (violation)
Containers are currently not signed.
# 19.7 (violation)
Containers are currently not signed.
# 19.8
Components come from trusted sources as far as it is possible in the open source field with public package repositories.
# 19.9
Python enabled ASLR and DEP since Python 3.4
# 19.10
All assets are hosted by the application and not on a CDN or external provider.