Cwa-documentation: Publish security audits

Created on 8 Apr 2021 · 5Comments · Source: corona-warn-app/cwa-documentation

Your Question

Documentation File: overview-security.md
Line / Paragraph: security testing
Question: Am I missing the obvious or did not you publish your security audits there, yet?

As far as I read the doc there, you seem to acknowledge to do (external?) security audits of your code etc.

Did you do so?
If so, could you publish the results? (with all vulnerabilities that are fixed, of course)

I'm talking about technical security audits (code audits/blackbox or whitebox-like etc.), not GDPR/privacy analyses/statements etc.

mirrored-to-jira question

Source

rugk

All 5 comments

https://www.coronawarn.app/en/#privacy under the point "Security" also says:

"Security assurance of application development through Secure Software Development Lifecycle, which includes among other things threat modeling and end-to-end risk assessment, security planning, security testing and penetration testing."

I didn't find a link to these threat modelings, etc. there neither.

Ein-Tim on 9 Apr 2021

👍1

@rugk @Ein-Tim You will find some documents on risk analysis on the main webpage under the section Data Privacy document and the annexes:

https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1a.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage1b.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage2.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage3.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage5.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage6.pdf
https://www.coronawarn.app/assets/documents/cwa-datenschutz-folgenabschaetzung-anlage7.pdf

dsarkar on 10 Apr 2021

That's great and interesting, but not really a security audit from an external company...

rugk on 10 Apr 2021

@rugk I will try to get some info. Internal Tracking ID: EXPOSUREAPP-5956

dsarkar on 12 Apr 2021

👍1

Penetration test were also mentioned in https://dbtg.tv/cvid/7519454 at around minute 12.

Ein-Tim on 7 May 2021

Was this page helpful?

0 / 5 - 0 ratings

Related issues

CONTRIBUTING.md for CWA Android refers to dev branch which no longer exists

MikeMcC399 · 3Comments

Key exchange

AndiLeni · 3Comments

Feat: Integrate alex scanner for inconsiderate language

dreh23 · 3Comments

Questions about collected telemetry / analytics data

kbobrowski · 3Comments

To contribute to this project I am forced to share my behavioral data with Microsoft

TomTeeJay · 3Comments