Feedback Request: Security Requirements for Cloud Apps

I have a question about Content Security Policy (CSP) header from requirement 7.1
Do you have any acceptance criteria for CSP (set of required Fetch directives except script-src)? Maybe you could provide a recommended way to assess the strength of a CSP (for example all green marks in https://csp-evaluator.withgoogle.com)?

1 Like

Question about third-party libraries and dependencies with known critical or high vulnerabilities from requirement 9.

In some cases, third-party libraries and dependencies with known critical or high vulnerabilities do not affect an app. Sometimes it is not possible to update such dependencies asap because the fix is not available yet. Could you please recommend what should we do in such cases?

1 Like

I have a question about Content Security Policy (CSP) header from requirement 7.1

@dzagorovsky we wanted to let our developer community start implementing Content Security Policy (CSP) to mitigate most script injection-related vulnerabilities. The recommendation would be to start by specifying the script sources and not using unsafe-inline or unsafe-eval directives. This should give the minimum protection CSP offers. https://csp-evaluator.withgoogle.com/ can be used to validate your policies.

Question about third-party libraries and dependencies with known critical or high vulnerabilities from requirement 9.

We recommend avoiding the usage of libraries or dependencies with critical or high severity vulnerabilities and instead use a patched version of these dependencies. If available, use an alternative library/dependency that is free from high/critical severity vulnerabilities. In case, neither is possible, we suggest you evaluate the risk and exploitability of the vulnerability and apply any known workarounds. However, when there is a zero-day vulnerability identified (e.g. Spring4Shell) on a library that significantly impacts customer data, we will file an AMS ticket, and developers are expected to resolve them within the due date specified on the ticket.

Now that draft requirements have become published, I’m locking this thread. All feedback and questions are still welcome, please just post them as new topics.

1 Like