Launchpad itself

Merge ~jugmac00/launchpad:add-security-documentation into launchpad:master

  1. Git
  2. lp:~jugmac00/launchpad
  3. add-security-documentation
  4. Merge into master
Proposed by Jürgen Gmach
Status: Merged
Merge reported by: Jürgen Gmach
Merged at revision: f0c29262ba5e62890467d68b574dc76c8ee5b820
Proposed branch: ~jugmac00/launchpad:add-security-documentation
Merge into: launchpad:master
Diff against target: 164 lines (+150/-0)
2 files modified
doc/explanation/index.rst (+1/-0)
doc/explanation/security.rst (+149/-0)
Reviewer Review Type Date Requested Status
Colin Watson (community) Approve
Review via email: mp+447278@code.launchpad.net

Commit message

Add security documentation

To post a comment you must log in.
Revision history for this message
Colin Watson (cjwatson) wrote :

I think it would be interesting to say something here about the security of builds, since that's one of the most complex and non-obvious parts of Launchpad's security (after all, we're deliberately executing arbitrary code that can be submitted by anyone with a Launchpad account). https://docs.google.com/document/d/1im8CMxLRNxtt5H0zv461kSYSflN-YlxJ1UZG8_53D9A is an internal document I wrote up a while back with a lot of this. Not all of it is suitable for being made public (there's a whole section referring to a project that isn't public yet, if nothing else), but perhaps we could start by linking to it and then at least Canonical folks can conveniently see it, and then we can figure out later which bits are OK to put in public documentation.

You could link to https://help.launchpad.net/API/SigningRequests which has some details about how the OAuth authorization arrangements work for the webservice API.

review: Approve
Revision history for this message
Guruprasad (lgp171188) :
Revision history for this message
Jürgen Gmach (jugmac00) wrote :

Thanks for the feedback!

Revision history for this message
Colin Watson (cjwatson) :
Revision history for this message
Colin Watson (cjwatson) :
review: Approve
Revision history for this message
Jürgen Gmach (jugmac00) :
Revision history for this message
Jürgen Gmach (jugmac00) :
Revision history for this message
Otto Co-Pilot (otto-copilot) wrote :

There was nothing to merge
https://jenkins.ols.canonical.com/online-services/job/launchpad/3367/

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/doc/explanation/index.rst b/doc/explanation/index.rst
2index 49da0ad..1ab0d5f 100644
3--- a/doc/explanation/index.rst
4+++ b/doc/explanation/index.rst
5@@ -16,3 +16,4 @@ Explanation
6 charms
7 codeimport
8 performance
9+ security
10diff --git a/doc/explanation/security.rst b/doc/explanation/security.rst
11new file mode 100644
12index 0000000..d785809
13--- /dev/null
14+++ b/doc/explanation/security.rst
15@@ -0,0 +1,149 @@
16+About Launchpad security
17+========================
18+
19+This document is an overview of how Launchpad approaches security.
20+It includes advice on how to build and run Launchpad in a secure way.
21+And finally it shows how to report security issues.
22+
23+Launchpad's security strategy is multi-layered and multi-facetted.
24+
25+Architecture and system design
26+------------------------------
27+Launchpad is secure by design, which means that its architecture, its
28+components and all communication between components were designed to be
29+fundamentally secure.
30+
31+We only use Ubuntu LTS releases, which gets professional security support.
32+
33+We monitor updates of both system and :doc:`Python packages <pip>` closely,
34+and update or patch our systems and applications accordingly.
35+
36+We use a restrictive network setup between all our systems, especially
37+for untrusted builders.
38+You can read more about the threat model for builds in `LP113`_ (internal
39+spec).
40+
41+.. _LP113: https://docs.google.com/document/d/1im8CMxLRNxtt5H0zv461kSYSflN-YlxJ1UZG8_53D9A/edit
42+
43+All traffic to Launchpad is secured by TLS, with the exception of package
44+downloads, which are cryptographically verified on the client side.
45+
46+Component configuration
47+-----------------------
48+We take great care to configure our components in a secure way.
49+
50+Our web servers are configured very strictly, e.g.
51+
52+- we use HSTS
53+- we set the ``X-Content-Type-Options`` to ``nosniff``
54+- we prevent launchpad.net from being used in a frame
55+
56+You can have a look at the configuration in `canonical-mojo-specs`_ inside
57+the ``launchpad-manual-servers`` directory, and you can verify the results via
58+`Mozilla's online analyzer`_.
59+
60+.. _canonical-mojo-specs: https://launchpad.net/canonical-mojo-specs
61+.. _Mozilla's online analyzer: https://observatory.mozilla.org/analyze/launchpad.net
62+
63+We also restrict user-uploaded content in size to prevent issues with
64+availability.
65+
66+Our secrets are strictly separated from our source code.
67+
68+Code
69+----
70+We do not use direct SQL statements, but rather use the
71+`Storm ORM`_. This prevents SQL injection issues.
72+
73+.. _Storm ORM: https://storm.canonical.com/
74+
75+We are using Zope's mighty and fine-grained security framework which provides
76+a generic mechanism to implement security policies on Python objects.
77+
78+Compared to other frameworks, the main difference is that we check security
79+policies on most object attribute accesses, not just at API boundaries.
80+The exception is when an object isn't wrapped in a security proxy, which is
81+typically either for the ``self`` parameter to a method, so object methods
82+don't go through the security proxy when accessing their own internal
83+attributes, or when ``removeSecurityProxy`` is explicitly used.
84+
85+Checking at attribute access provides significant defense in depth and is
86+especially important given the interactions between visibility and mutability
87+rules of multiple objects found on many Launchpad pages.
88+
89+You can learn more about how we use it in
90+:doc:`Handling security policies <../how-to/security>`.
91+
92+Permissions
93+-----------
94+In general we follow the principle of least privilege.
95+
96+Launchpad engineers do not have direct access to production instances.
97+
98+Leveraging the mentioned Zope's security framework, we apply fine-grained and
99+strict access level permissions.
100+
101+While all Launchpad engineers have permissions to provide basic support for
102+Launchpad users, only select roles have wider access to administrative
103+features and security-related areas.
104+
105+Authorization
106+--------------
107+There is `extensive documentation`_ for how the OAuth authorization
108+arrangements work for the webservice API.
109+
110+.. _extensive documentation: https://help.launchpad.net/API/SigningRequests
111+
112+Processes
113+---------
114+For all but the most trivial code and configuration changes we require a
115+review by another team member or by IS.
116+
117+For DB changes we require a second review by an experienced engineer.
118+
119+Security issues can always be escalated and Canonical's security team supports
120+us with expert knowledge when necessary.
121+
122+Security monitoring
123+-------------------
124+While we do not have automatic security monitoring in place yet as of July
125+2023, Launchpad.net was recently pentested by an external security company.
126+
127+Training
128+--------
129+Launchpad engineers are encouraged to stay up to date with modern security
130+practices.
131+
132+Canonical offers a training budget which can be used for security training.
133+
134+Further recommended reading:
135+
136+- `OWASP top 10`_
137+- `Mozilla's web security guide`_
138+
139+.. _OWASP top 10: https://owasp.org/www-project-top-ten/
140+.. _Mozilla's web security guide: https://infosec.mozilla.org/guidelines/web_security.html
141+
142+Tooling
143+-------
144+Mozilla offers an excellent `web security analyzer`_, which provides a great
145+overview of the security state of a website.
146+
147+OWASP's `Zed Attack Proxy`_ is a mighty open-source tool which intercepts
148+requests to the site under test and allows detailed security checks.
149+
150+.. _web security analyzer: https://observatory.mozilla.org/
151+.. _Zed Attack Proxy: https://www.zaproxy.org/
152+
153+Reporting
154+---------
155+Both security issues for Launchpad itself, for all listed projects, and for
156+e.g. malicious applications hosted on Launchpad, should be reported by
157+Launchpad's `bug reporting interface`_.
158+Please set the bug's visibility to either "Public Security" or "Private
159+Security" as appropriate.
160+
161+.. _bug reporting interface: https://bugs.launchpad.net/launchpad-project/+filebug
162+
163+Please be aware that Launchpad.net will send email in plaintext in response to
164+the bug reports.

Subscribers

People subscribed via source and target branches

to status/vote changes: