This is a document that provides an overview of SnapApp’s compliance with the CIS Benchmark for Google Cloud Platform. While SnapApp follows many of the best practices, this document highlights some of the ones specific to the CIS Benchmark.

Cloud Storage

Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

All buckets in SnapApp are not publicly or anonymously accessible except for the public bucket, which is meant to storage publicly available assets such as images, custom stylesheets, favicons and other resources which are generally publicly accessible

Ensure That Cloud Storage Buckets Have Uniform Bucket Level Access Enabled

All buckets have uniform bucket level access enabled and this is also enforced in the IaC (Terraform) code

Cloud SQL (MySQL)

Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges

Ensure ‘Skip_show_database’ Database Flag for Cloud SQL MySQL Instance Is Set to ‘On’ (Automated)

Ensure That the ‘Local_infile’ Database Flag for a Cloud SQL MySQL Instance Is Set to ‘Off’ (Automated)

SnapApp uses Cloud SQL MySQL and the Postgres recommendations are not applicable

Apart from these, SnapApp also follows some of the best practices.

References:

Code Security & Best Practices

Static Code analysis using SonarQube

SonarQube is a powerful tool for continuous code quality and security analysis, offering several key advantages and provides detailed insights into code smells, bugs, vulnerabilities, and code duplications. The result is more maintainable, secure, and efficient code, ultimately reducing technical debt and enhancing software reliability.

Unit Tests and Integration Tests

Mozilla Observatory

Mozilla Observatory is a valuable tool for improving the security of web applications, offering several key advantages. SnapApp’s page can be found here

Private Code Repository

Logging & Monitoring

VPC & Networking

SnapApp uses a custom VPC Network

SSH access is restricted from the Internet

RDP access is restricted from the Internet. SnapApp does not use any Windows VM.

Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites