Prometheus security related questions

[Lucian Iordache]

Hi,

My name is Lucian and I am SRE Observability Engineer at Mambu GmbH.

We are working on a custom solution based on Prometheus, and we have some questions from security perspective as following:

1. How is the Prometheus design performed ? Are you considering security requirements in architecture and design phase of the product and new features ?
2. Are you performing code reviews ?  If yes, security checks are part of it ?
3. How dependencies are managed? 
3.1 Are you scanning for vulnerable dependencies ?
3.2 How are dependencies reviewed before added to the product, and how vulnerable or non-maintained dependencies are handled ?
4. How the source code is checked for vulnerabilities (E.g. Static code analysis, penetration tests …) ?
5. How the build process is secured ?


Thank You .

Regards,
Lucian Iordache
SRE Observability Engineer
Mambu 

[Bjoern Rabenstein]

On 19.02.20 01:37, Lucian Iordache wrote:
>
> We are working on a custom solution based on Prometheus, and we have some
> questions from security perspective as following:

For canonical answers, you should have a look at
https://prometheus.io/docs/operating/security/ .

Also note the Cure53 audit linked from that page:
https://prometheus.io/assets/downloads/2018-06-11--cure53_security_audit.pdf

--
Björn Rabenstein
[PGP-ID] 0x851C3DA17D748D03
[email] bjo...@rabenste.in

[Lucian Iordache]

Thank you for info, Already reviewed that but these does not cover entirely our questions.
We would appreciate some targeted answers to our questions.

[Ben Kochie]

On Wed, Feb 19, 2020 at 10:37 AM Lucian Iordache <lucian....@mambu.com> wrote:

Hi,

My name is Lucian and I am SRE Observability Engineer at Mambu GmbH.

We are working on a custom solution based on Prometheus, and we have some questions from security perspective as following:

1. How is the Prometheus design performed ? Are you considering security requirements in architecture and design phase of the product and new features ?

In general, yes, we consider security when designing new features. 

2. Are you performing code reviews ?  If yes, security checks are part of it ?

Yes, the Prometheus project uses code review via GitHub pull requests. 

3. How dependencies are managed? 

We use Go modules and Yarn.

3.1 Are you scanning for vulnerable dependencies ?

GitHub provides dependency vulnerability scanning for us. 

3.2 How are dependencies reviewed before added to the product, and how vulnerable or non-maintained dependencies are handled ?

They're reviewed as part of our code review process.

4. How the source code is checked for vulnerabilities (E.g. Static code analysis, penetration tests …) ?

We use a 3rd party audit service. Currently Cure53.

5. How the build process is secured ?

We preform builds via CircleCI and use CircleCI's official build images. 

Thank You .

Regards,
Lucian Iordache
SRE Observability Engineer
Mambu 

--
You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/13b4a798-fa97-4c60-81d8-08cd4b793219%40googlegroups.com.

[Bjoern Rabenstein]

On 20.02.20 23:29, Lucian Iordache wrote:
> Thank you for info, Already reviewed that but these does not cover entirely our
> questions.
> We would appreciate some targeted answers to our questions.

Anything else is essentially fluid and not really formalized.

You'll get individual views on how our practices have developed in
practice (cf. the other response in this thread by Ben Kochie). But
views and opinions will vary, and you therefore cannot expect any of
those practices to be applied consistently and systematically.

[Mihai Iordache]

I have some additional questions as following:
1. Are you performing regularly pentests ? if yes, how often ?

2. All high and critical issues are addressed in a short amount of time ?

[Julien Pivotto]

On 27 Feb 08:12, Mihai Iordache wrote:
> I have some additional questions as following:
> 1. Are you performing regularly pentests ? if yes, how often ?

As https://prometheus.io/docs/operating/security/#external-audits

There was a pentest in 2018. There will probably be a new one in 2020,
to be confirmed.

> 2. All high and critical issues are addressed in a short amount of time ?

Prometheus is an open source project and we address those issues on a
best-effort basis. You try to do our best but we don't promise anything.
Some team members also closely follow golang releases for security
vulnerabilities.

>
>
> On Monday, 24 February 2020 15:42:04 UTC+2, Björn Rabenstein wrote:
> >
> > On 20.02.20 23:29, Lucian Iordache wrote:
> > > Thank you for info, Already reviewed that but these does not cover
> > entirely our
> > > questions.
> > > We would appreciate some targeted answers to our questions.
> >
> > Anything else is essentially fluid and not really formalized.
> >
> > You'll get individual views on how our practices have developed in
> > practice (cf. the other response in this thread by Ben Kochie). But
> > views and opinions will vary, and you therefore cannot expect any of
> > those practices to be applied consistently and systematically.
> >
> > --
> > Björn Rabenstein
> > [PGP-ID] 0x851C3DA17D748D03

> > [email] bjo...@rabenste.in <javascript:>

> >
>
> --
> You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/69b2f00f-9273-44a0-8e71-b8f3b787e8b0%40googlegroups.com.


--
(o- Julien Pivotto
//\ Open-Source Consultant
V_/_ Inuits - https://www.inuits.eu

[Bjoern Rabenstein]

On 27.02.20 17:16, Julien Pivotto wrote:
> On 27 Feb 08:12, Mihai Iordache wrote:
> > I have some additional questions as following:
> > 1. Are you performing regularly pentests ? if yes, how often ?
>
> As https://prometheus.io/docs/operating/security/#external-audits
>
> There was a pentest in 2018. There will probably be a new one in 2020,
> to be confirmed.

That was an audit. I wouldn't call that a pentest.

> > 2. All high and critical issues are addressed in a short amount of time ?
>
> Prometheus is an open source project and we address those issues on a
> best-effort basis. You try to do our best but we don't promise anything.
> Some team members also closely follow golang releases for security
> vulnerabilities.

Exactly. If you want any kind of guarantee, you either have to
contribute security fixes yourself, or you have to pay somebody to do
it for you. (The latter is one of the many facets of building a
business on top of open source software.)