Click here to Skip to main content
15,844,387 members
Home / Discussions / Design and Architecture
   

Design and Architecture

 
GeneralRe: Validate Data Format Pin
Kevin Marois16-Nov-23 11:46
professionalKevin Marois16-Nov-23 11:46 
GeneralRe: Validate Data Format Pin
Gerry Schmitz16-Nov-23 16:57
mveGerry Schmitz16-Nov-23 16:57 
AnswerRe: Validate Data Format Pin
jschell16-Nov-23 6:26
jschell16-Nov-23 6:26 
GeneralRe: Validate Data Format Pin
Andre Oosthuizen18-Nov-23 8:18
mveAndre Oosthuizen18-Nov-23 8:18 
QuestionHow to address security in white label software Pin
mozilly2-Nov-23 22:54
mozilly2-Nov-23 22:54 
AnswerRe: How to address security in white label software Pin
Gerry Schmitz5-Nov-23 6:06
mveGerry Schmitz5-Nov-23 6:06 
AnswerRe: How to address security in white label software Pin
jschell6-Nov-23 11:50
jschell6-Nov-23 11:50 
QuestionHow to address security for white-label web app Pin
mozilly2-Nov-23 1:56
mozilly2-Nov-23 1:56 
I just started working with a business that made a web application that has a nodejs-expressjs backend api and a react front end. The business wants to sell its software as a white label solution to some enterprise sized businesses. My manager says that the customers will be expecting a detailed report to convince them that our solution is "secure". I need to determine steps to producing such a security report.

My first thoughts are to follow these steps:
  1. Run the npm audit command on our backend and front end projects to identify all known vulnerabilities. And then fixed them according to recommended approaches I read about on the internet. This step has been done. The npm audit command shows no vulnerabilities or issues of any kind.
  2. We upload our code as docker images to dockerhub.com. Dockerhub shows a list of vulnerabilities for us to address. I am currently in this step, and I have some issues which I will elaborate further down in this post.
  3. Hire a 3rd party cyber security firm to test our solution. This firm will give us a report of issues to address.
That's my overall plan. However, I am currently stuck on step 2. Dockerhub is showing me MANY Critical and High priority vulnerabilities such as the following:
...etc...

According to dockerhub, there are about 100 of these types of vulnerabilities, where maybe 10% are critical, 15% are high, rest are medium or low. These issues look very difficult to address, because they are used by modules of modules that I don't directly access in my own software. Trying to replace these modules of modules basically means a complete rewrite of our software to not depend on ANY open source solutions at all! And I'm sure if I were to scan packages with another type of scanner, different sets of vulnerabilities would be exposed. And I haven't even gotten to step 3 yet.

So this got me wondering...how do other organizations selling white labelled solutions go about disclosing vulnerabilities to their end clients and how do they protect themselves?

I started thinking that maybe I don't have to deal with every single security vulnerability that exists. Instead, I should only address security issues that I am confident hackers will exploit or things that are easy to address. Then I hire a security party firm to find other vulnerabilities. Anything that's not caught by the security firm we deem as "not important". And we develop some contract and service agreement that protects our business from the legal actions if our clients experiences a security vulnerability not covered in our report?

But then, a customer will say, "But dockerhub.com clearly shows vulnerability X, and you as the seller were aware of vulnerability X, please justify to us why you did not address it." And how do we respond then?

That's what's in my head right now.

So back to my original question - what steps should a team take to address security concerns of a software that will be white labelled and sold to customers?
QuestionThoughts on Internationalization Pin
snorkie23-Oct-23 8:44
professionalsnorkie23-Oct-23 8:44 
AnswerRe: Thoughts on Internationalization Pin
Dave Kreskowiak23-Oct-23 10:17
mveDave Kreskowiak23-Oct-23 10:17 
AnswerRe: Thoughts on Internationalization Pin
Mircea Neacsu23-Oct-23 10:52
Mircea Neacsu23-Oct-23 10:52 
GeneralRe: Thoughts on Internationalization Pin
trønderen23-Oct-23 13:02
trønderen23-Oct-23 13:02 
GeneralRe: Thoughts on Internationalization Pin
Mircea Neacsu23-Oct-23 14:40
Mircea Neacsu23-Oct-23 14:40 
GeneralRe: Thoughts on Internationalization Pin
trønderen23-Oct-23 21:22
trønderen23-Oct-23 21:22 
GeneralRe: Thoughts on Internationalization Pin
snorkie24-Oct-23 10:43
professionalsnorkie24-Oct-23 10:43 
GeneralRe: Thoughts on Internationalization Pin
jschell25-Oct-23 6:01
jschell25-Oct-23 6:01 
GeneralRe: Thoughts on Internationalization Pin
Mircea Neacsu25-Oct-23 6:49
Mircea Neacsu25-Oct-23 6:49 
GeneralRe: Thoughts on Internationalization Pin
trønderen25-Oct-23 12:54
trønderen25-Oct-23 12:54 
GeneralRe: Thoughts on Internationalization Pin
Eddy Vluggen25-Oct-23 13:56
professionalEddy Vluggen25-Oct-23 13:56 
GeneralRe: Thoughts on Internationalization Pin
trønderen25-Oct-23 16:20
trønderen25-Oct-23 16:20 
GeneralRe: Thoughts on Internationalization Pin
Eddy Vluggen26-Oct-23 2:40
professionalEddy Vluggen26-Oct-23 2:40 
GeneralRe: Thoughts on Internationalization Pin
jschell26-Oct-23 5:55
jschell26-Oct-23 5:55 
GeneralRe: Thoughts on Internationalization Pin
trønderen26-Oct-23 8:36
trønderen26-Oct-23 8:36 
AnswerRe: Thoughts on Internationalization Pin
Gerry Schmitz24-Oct-23 8:07
mveGerry Schmitz24-Oct-23 8:07 
AnswerRe: Thoughts on Internationalization Pin
jschell24-Oct-23 8:34
jschell24-Oct-23 8:34 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.