Forum OpenACS Development: acs-admin: Security and Privacy Posture Overview

Collapse
1: acs-admin: Security and Privacy Posture Overview
Posted by Gustaf Neumann on 08/13/24 10:57 AM
Dear all,

As discussed at the OpenACS conference last month, OpenACS now includes a security and privacy posture overview page that collects and summarizes various pieces scattered across many packages and parameters in one place. The page provides

- Quick overview
- Check of security and privacy relevant package parameters
- Authorization and accessibility check of mounted packages
- HTTP Response header checking
- External library check (CDN vs. local usage, vulnerable or outdated libraries)

Since some of the operations may take some time on large sites (e.g. when running on a system with several hundred thousand site nodes), the output and level of detail have been adjusted for such sites.

To give you an idea of what the new pages look like, the screenshots below were taken from a sample site.

You might have noticed on the "External library check" outdated libraries for this instance (from cdnjs), and the vulnerability checks (from Synk). These checks require Internet access.

To update outdated or vulnerable libraries, the site-wide administration interfaces were also updated. Version number management is now consistent over the major packages, the design considerations and principles are described in managing external JavaScript packages.

Here is an example for the site-wide admin page for TinyMCE editor

... and a sample output from the security advisor from Snyk:

The posture page is linked from the /acs-admin/ page.

All the best!