Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable API #243

Merged
merged 9 commits into from
Nov 30, 2023
Merged

Disable API #243

merged 9 commits into from
Nov 30, 2023

Conversation

mrinnetmaki
Copy link
Member

Risk analysis

  • Risks of the implementation in this pull request have been analyzed with following results:
  • Following items in the risk list are related to the implementation: [list of risk ids]

Significance

  • Analysis, is the software change considered significant (ref. MDCG 2020-3, chart C), has been made with following result:
  • This is a significant change, but no MDR certification is required as this is the end of life announcement for this service.

Security check-up

https://github.com/OWASP/www-project-top-ten/blob/master/index.md

  • A01:2021-Broken Access Control - This changes access control a bit, but only by disabling functionality. Does not expose vulnerable data.
  • A02:2021-Cryptographic Failures - No changes to crypto functionality.
  • A03:2021-Injection - It's really hard to inject anything now.
  • A04:2021-Insecure Design - The change was made quite fast, but no new attack vectors have been identified.
  • A05:2021-Security Misconfiguration - No changes to security configs.
  • A06:2021-Vulnerable and Outdated Components - There are some, but there's no point in updating them anymore.
  • A07:2021-Identification and Authentication Failures - Should not matter as only feature left is deleting an account. And even existing accounts are useless and provide no access to data.
  • A08:2021-Software and Data Integrity Failures - No changes here.
  • A09:2021-Security Logging and Monitoring Failures - We could perhaps monitor whether anyone still tries to use the API. We can do that manually by inspecting load balancer accesss logs. No point in doing it here.
  • A10:2021-Server-Side Request Forgery - Not applicable, no links or any input accepted.

@mrinnetmaki mrinnetmaki merged commit 46bd4b0 into master Nov 30, 2023
1 check passed
@mrinnetmaki mrinnetmaki deleted the shutdown branch November 30, 2023 21:24
Copy link

@ReettaValimaki ReettaValimaki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved post merge due to critical timing of the change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants