Automated Security Testing

Hey team. I’m an application/cloud security professional and typically work with greenfield digital banks. I recently submitted a piece of analysis comprising various security risks I found while sleuthing around the Mango GitHub and testing some of the web interfaces. Most are fixed by now (haven’t fully re-validated), but similar to audits, point-in-time reports are, well, point in time.

I’d like to apply for a grant to build out more automated security testing as part of the Mango CI/CD pipeline with a view to reduce risks of security vulnerabilities going forward and shift security left in the development cycle.
Since it’d be the first time we’re working together, I’ll keep this initial scope relatively short and snappy to hopefully demonstrate value, with a view to hopefully build out the security maturity further in subsequent asks.

Initially, I’d like to target the following aspects:

  1. Static code security analysis - Language specific tooling covering e.g. unsafe coding practices and OWASP top10 vulnerabilities on push and PRs
  2. Secrets detection - Identification of any unsafe use/disclosure of application secrets
  3. Dependencies - Scan dependencies for vulnerabilities on push, PRs and periodically

With a view to deliver the following outcomes:

  1. Confidence that no known vulnerable code or dependencies are used for Mango (unless risk accepted)
  2. Streamlined and repeatable approach to secure development that scales
  3. A framework for building Mango-specific code rules of what is allowed, or not
  4. A notable step on up in security maturity and posture at low cost of developer impact and release velocity

Draft outline of activities:

  1. Detailed requirement analysis: Understand current state practices, current tooling used, analyse languages used (rust, js/ts, etc.) and map to automated testing tools per repo (including dependencies)
  2. Design: Using GitHub Actions integration, create a design that meets the requirements. Present to a TDA-like audience and capture any feedback/tweaks required
  3. Test: Agree a Mango repo to target initially and build out the actions. Capture team feedback and tweak as appropriate.
  4. Roll-out to all Mango repos: Using a similar process, build out automated workflows for all Mango repositories considering languages, dependencies, etc. for each (i.e. not just inefficient kitchen sink approach)
  5. Document: Capture all changes in documentation available to team to adopt new changes.
  6. Remediation: Support remediation activities based on findings for any remaining time.

Key assumptions:

  1. Necessary permissions provide to make the relevant changes
  2. Automated scanning/testing may not pick up on logic errors e.g. in contracts (not selling snake oil here!)
  3. The team will be available for a reasonable amount of time to agree design and review test outcomes

I’m asking for a grant to cover 2 weeks of effort. Happy to consider USDC, locked/vested MNGO, or a combination. Can start immediate on part-time basis.

Other areas I could support going forward if everyone is seeing benefits:

  • Act as security council/champion for Mango
  • Review privileged access and key management practices. Don’t want to end up like Ascendex, 8ight Finance, etc! Rekt - Ascendex - REKT
  • API security and fuzz testing. Badger DAO forgot about web2 security: Rekt - Badger - REKT
  • Shift security further left to IDE integration and using webhooks for pre-commit testing
  • Introduce automated dynamic security testing (black/grey box testing) of applications/sites
  • Ad hoc architecture input, remediation support, offensive testing and deep dive reviews
  • Supply chain security. Build a view of all supply chain parties, dependencies (SBOM) and work through hardening configuration/rationalisation etc. (e.g. hosting providers, WAF etc.)
  • Developing an incident response plan based on key security threats to Mango

Welcome your thoughts/questions. Happy to chat about next steps - or no steps is OK too!

Thanks,
Silas
(repost as first got rekt by the WP bot)

5 Likes

I’d be very interested in seeing this come to life, it would be very helpful in reviewing contributions to UI projects which usually contain a lot of code and dependencies that take a lot of time to audit.

2 Likes

Can you propose a more specific amount + work + time frame. It’s probably not possible to do a vote at the moment for locked tokens because the contract isn’t live yet but if you make a reasonable proposal here and follow through on it, it’s likely you could submit a proposal for actual voting later on. Looking forward to seeing what comes out of your work/analysis!

All good if the contract functionality is not there yet. I’m OK with USDC, or a gentleman’s agreement for when the functionality is ready, if it’s in the near-future. I estimate 2 weeks (10 working days) and think a $150/h rate seems reasonable, i.e. $12k. I’m not sure what the $:locked MNGO ratio typically is, but maybe in the 140-160k range? Any unused time to design/build could be used to support remediation of vulns.

Could have this done in early Jan. Let me know what further details of work you’re looking for, or drop me a line on Discord (windowlicker).

Anything from after “Other areas I could support” should be considered out of scope for now. Was more to share what other things I could bring to the table on a longer term.

I would personally vote yes for $12k or 150k ~1yr locked MNGO. It seems like it could be a valuable addition.

1 Like

Hey team, merry Christmas! Let me know what you decide when you get a chance :wink: Got a couple of POCs i can show whenever, incl. automated contract testing for rust.

If I were you I would just make a start on the work and I will happily put up a DAO vote for your locked token payment once the locked tokens contract is in place. Of course the DAO vote will have to pass. But if the vote is done at the same time as a group of other votes it shouldn’t be too hard to reach quorum

1 Like

agreed, let’s get the work done. overall will be a great addition

1 Like

Could you share a link to the repo?