Publish security audits

[rugk]

Your Question

• Documentation File: overview-security.md
• Line / Paragraph: security testing
• Question: Am I missing the obvious or did not you publish your security audits there, yet?

As far as I read the doc there, you seem to acknowledge to do (external?) security audits of your code etc.

• Did you do so?
• If so, could you publish the results? (with all vulnerabilities that are fixed, of course)

I'm talking about technical security audits (code audits/blackbox or whitebox-like etc.), not GDPR/privacy analyses/statements etc.

---

Internal Tracking-ID: EXPOSUREAPP-8354

[Ein-Tim]

https://www.coronawarn.app/en/#privacy under the point "Security" also says:

"Security assurance of application development through Secure Software Development Lifecycle, which includes among other things threat modeling and end-to-end risk assessment, security planning, security testing and penetration testing."

I didn't find a link to these threat modelings, etc. there neither.

[dsarkar]

@rugk @Ein-Tim You will find some documents on risk analysis on the main webpage under the section Data Privacy document and the annexes:

https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1a.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1b.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage2.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage3.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage5.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage6.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage7.pdf

[rugk]

That's great and interesting, but not really a security audit from an external company...

[dsarkar]

@rugk I will try to get some info. Internal Tracking ID: EXPOSUREAPP-5956

[Ein-Tim]

Penetration test were also mentioned in https://dbtg.tv/cvid/7519454 at around minute 12.

[rugk]

FYI the BSI responded to some FOI („freedome of information”, IFG - Informationsfreiheitsgesetz) request and thus published some audits:
https://fragdenstaat.de/anfrage/dokumente-zu-sicherheitsaudits-der-corona-warn-app/#nachricht-590020

Dokumente_geschwrzt.zip

[Ein-Tim]

The BSI responded to a question I asked them on Twitter, it's not planned to publish the security audits ("Eine Veröffentlichung der Berichte als solches ist aktuell nicht geplant.").

[rugk]

This is funny, because they actually did publish some of them in/via the FOI request above… 🙃

I asked them why they don't do this. 😅

[Ein-Tim]

@rugk

Is the argument from the Twitter user a valid one? For me it sounds logically that they won't publish these audits because hackers then would know what doesn't work and can concentrate on other methods. But tbh I never read through a security audit so 🤷🏻‍♂️
And, on the other side, they are still reporting security flaws public here on GitHub, sooo. 😉

[rugk]

@Ein-Tim I already replied on Twitter but the TLDR is, as you also said: Of course do not publish unfixed/undisclosed vulnerabilities. As for fixed ones, however, there is – judging from the technical experience – no disadvantage/risk of just publishing it. Especially as they, as you noticed, are already somewhat public on GitHub.

[heinezen]

@rugk I've raised the issue again, this time as a feature request.

@Ein-Tim

Is the argument from the Twitter user a valid one? For me it sounds logically that they won't publish these audits because hackers then would know what doesn't work and can concentrate on other methods.

It goes against all security best pratices, so no, it isn't really valid.

1. You actually want people to know how to test these systems, otherwise no one could comprehend whether the issue is fixed or how severe the problem was in the first place. You cannot trust if something is secure if the methods to determine this are unknown.
2. The chances that university/security researchers will find bugs and report them is much higher when they can base their work on previous audits
3. The "evil guys" usually already have a fair bit of pentesting knowledge and don't need the help of an audit

---

Corona-Warn-App Open Source Team

[Ein-Tim]

@heinezen

Thank you for the explanation (and for rising this topic again)!

[Ein-Tim]

Is there any update available here? Will security audits be published directly on GitHub or is it necessary to request them via a FOI request?