Hey team. I’m an application/cloud security professional and typically work with greenfield digital banks. I recently submitted a piece of analysis comprising various security risks I found while sleuthing around the Mango GitHub and testing some of the web interfaces. Most are fixed by now (haven’t fully re-validated), but similar to audits, point-in-time reports are, well, point in time.
I’d like to apply for a grant to build out more automated security testing as part of the Mango CI/CD pipeline with a view to reduce risks of security vulnerabilities going forward and shift security left in the development cycle.
Since it’d be the first time we’re working together, I’ll keep this initial scope relatively short and snappy to hopefully demonstrate value, with a view to hopefully build out the security maturity further in subsequent asks.
Initially, I’d like to target the following aspects:
- Static code security analysis - Language specific tooling covering e.g. unsafe coding practices and OWASP top10 vulnerabilities on push and PRs
- Secrets detection - Identification of any unsafe use/disclosure of application secrets
- Dependencies - Scan dependencies for vulnerabilities on push, PRs and periodically
With a view to deliver the following outcomes:
- Confidence that no known vulnerable code or dependencies are used for Mango (unless risk accepted)
- Streamlined and repeatable approach to secure development that scales
- A framework for building Mango-specific code rules of what is allowed, or not
- A notable step on up in security maturity and posture at low cost of developer impact and release velocity
Draft outline of activities:
- Detailed requirement analysis: Understand current state practices, current tooling used, analyse languages used (rust, js/ts, etc.) and map to automated testing tools per repo (including dependencies)
- Design: Using GitHub Actions integration, create a design that meets the requirements. Present to a TDA-like audience and capture any feedback/tweaks required
- Test: Agree a Mango repo to target initially and build out the actions. Capture team feedback and tweak as appropriate.
- Roll-out to all Mango repos: Using a similar process, build out automated workflows for all Mango repositories considering languages, dependencies, etc. for each (i.e. not just inefficient kitchen sink approach)
- Document: Capture all changes in documentation available to team to adopt new changes.
- Remediation: Support remediation activities based on findings for any remaining time.
- Necessary permissions provide to make the relevant changes
- Automated scanning/testing may not pick up on logic errors e.g. in contracts (not selling snake oil here!)
- The team will be available for a reasonable amount of time to agree design and review test outcomes
I’m asking for a grant to cover 2 weeks of effort. Happy to consider USDC, locked/vested MNGO, or a combination. Can start immediate on part-time basis.
Other areas I could support going forward if everyone is seeing benefits:
- Act as security council/champion for Mango
- Review privileged access and key management practices. Don’t want to end up like Ascendex, 8ight Finance, etc! Rekt - Ascendex - REKT
- API security and fuzz testing. Badger DAO forgot about web2 security: Rekt - Badger - REKT
- Shift security further left to IDE integration and using webhooks for pre-commit testing
- Introduce automated dynamic security testing (black/grey box testing) of applications/sites
- Ad hoc architecture input, remediation support, offensive testing and deep dive reviews
- Supply chain security. Build a view of all supply chain parties, dependencies (SBOM) and work through hardening configuration/rationalisation etc. (e.g. hosting providers, WAF etc.)
- Developing an incident response plan based on key security threats to Mango
Welcome your thoughts/questions. Happy to chat about next steps - or no steps is OK too!
(repost as first got rekt by the WP bot)