On Wed, Feb 19, 2020 at 10:37 AM Lucian Iordache <[email protected]> wrote:
> Hi, > > My name is Lucian and I am SRE Observability Engineer at Mambu GmbH. > > We are working on a custom solution based on Prometheus, and we have some > questions from security perspective as following: > > 1. How is the Prometheus design performed ? Are you considering security > requirements in architecture and design phase of the product and new > features ? > > In general, yes, we consider security when designing new features. > 2. Are you performing code reviews ? If yes, security checks are part of > it ? > > Yes, the Prometheus project uses code review via GitHub pull requests. > 3. How dependencies are managed? > > We use Go modules and Yarn. > > 3.1 Are you scanning for vulnerable dependencies ? > > GitHub provides dependency vulnerability scanning for us. > 3.2 How are dependencies reviewed before added to the product, and how > vulnerable or non-maintained dependencies are handled ? > > They're reviewed as part of our code review process. > 4. How the source code is checked for vulnerabilities (E.g. Static code > analysis, penetration tests …) ? > > We use a 3rd party audit service. Currently Cure53. > 5. How the build process is secured ? > > We preform builds via CircleCI and use CircleCI's official build images. > > > Thank You . > > Regards, > Lucian Iordache > SRE Observability Engineer > Mambu > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-developers/13b4a798-fa97-4c60-81d8-08cd4b793219%40googlegroups.com > <https://groups.google.com/d/msgid/prometheus-developers/13b4a798-fa97-4c60-81d8-08cd4b793219%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CABbyFmozj8e%3DuDkAu85dSXR01TJsjS-FV0w4bYTperbrq4q1dQ%40mail.gmail.com.
