Security verification


(Devindran) #1

My company currently uses NServiceBus 5, and we are looking to upgrade to 7 now that it’s been released. Security has come back with a request to provide more information about your product.

We are looking for any documents/processes you have for the following

  1. Security development lifecycle
  2. Static code analysis
  3. Penetration testing
  4. Threat modelling

Please let me know if you need any formal email communication before you can assist with this.

(Tim Bussmann) #2

Hey @devindran

We do not use security specific analysis or testing in our development process. This is mostly because NServiceBus runs on top of existing messaging infrastructure and we do not add additional security functionality on top of that (except for our message property encryption package. We recommend to levarage a transport’s security features if necessary.
As for the endpoint processes, NServiceBus runs as a .NET process and inherits all potential security risks by the platform (e.g. the .NET Framework). Notice that NServiceBus endpoints do not require elevated privileges.

We use static code analysis but not with an explicit focus on security vulnerabilities. However, we have several customers and vendors of security related code analysis solutions to analyse our code base without any issues detected so far.

As part of our deployment process, NuGet packages are run against a malware scanner before being published to NuGet.

is that information sufficient?