This is a document that provides an overview of SnapApp’s compliance with the CIS Benchmark for Google Cloud Platform. While SnapApp follows many of the best practices, this document highlights some of the ones specific to the CIS Benchmark.

Cloud Storage

Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

All buckets in SnapApp are not publicly or anonymously accessible except for the public bucket, which is meant to storage publicly available assets such as images, custom stylesheets, favicons and other resources which are generally publicly accessible

Ensure That Cloud Storage Buckets Have Uniform Bucket Level Access Enabled

All buckets have uniform bucket level access enabled and this is also enforced in the IaC (Terraform) code

Cloud SQL (MySQL)

Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges

• The root account is disabled and a custom MySQL user is created when spinning up a new Cloud SQL instance with a strong password requirements

Ensure ‘Skip_show_database’ Database Flag for Cloud SQL MySQL Instance Is Set to ‘On’ (Automated)

• Currently this is not enforced. There is usually only a single user created MySQL DB per instance and no other DBs exist (other than system DBs)

Ensure That the ‘Local_infile’ Database Flag for a Cloud SQL MySQL Instance Is Set to ‘Off’ (Automated)

• Currently this is not enforced.

SnapApp uses Cloud SQL MySQL and the Postgres recommendations are not applicable

Apart from these, SnapApp also follows some of the best practices.

• Minimize access points
  • By default public IP is disabled and Private IP is used inside a VPC (this may vary in some SnapApp deployments)
• Uses MySQL 8.0+
• Strengthen passwords
  • Uses a strong randomly generated password for MySQL user
• Binary logging is enabled
• Automated backups are enabled
• A maintenance window is configured in SnapApp for Cloud SQL
• Disk is set to auto increase in capacity
• Each table has a primary key
• Connection pooling is used
• Delete protection is enabled

References:

• Hardening MySQL overview
• MySQL Best Practices

Code Security & Best Practices

Static Code analysis using SonarQube

SonarQube is a powerful tool for continuous code quality and security analysis, offering several key advantages and provides detailed insights into code smells, bugs, vulnerabilities, and code duplications. The result is more maintainable, secure, and efficient code, ultimately reducing technical debt and enhancing software reliability.

Unit Tests and Integration Tests

• Unit tests and integration tests are frequently run to ensure the code and application runs as expected

Mozilla Observatory

Mozilla Observatory is a valuable tool for improving the security of web applications, offering several key advantages. SnapApp’s page can be found here

Private Code Repository

• SnapApp codebase is stored in a private repository

• Secrets not in code

  • SnapApp stores all secrets, passwords, API Keys in Secret Manager and does not store them in the code repository

• Trivy / tfsec for Terraform

  • Trivy for Terraform code scanning offers a robust way to enhance the security of infrastructure-as-code (IaC). Trivy, an open-source vulnerability scanner, can detect security misconfigurations and vulnerabilities in Terraform configurations before they are deployed, ensuring that the SnapApp cloud infrastructure is secure from the outset

• GCP Web Security Scanner

  • Periodic Web Security Scanner jobs are run to detect vulnerabilities in the application

Logging & Monitoring

• Monitoring Dashboard

  • SnapApp has a monitoring dashboard configured in Google Cloud Monitoring which provides an overview of all the services that SnapApp uses

• Logging

  • All application logs are stored in Cloud Logging

• Ensure That Cloud Audit Logging Is Configured Properly

VPC & Networking

SnapApp uses a custom VPC Network

• SnapApp created a custom VPC and adds the SnapApp resources (such as Cloud SQL, Run, Redis inside this VPC)

SSH access is restricted from the Internet

RDP access is restricted from the Internet. SnapApp does not use any Windows VM.

Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

• TLS 1.2 or greater is used for SSL Certificates in SnapApp