Mentors: Julien Dhallenne <firstname.lastname@chuv.ch>, Konstantinos Filippopolitis, Jonathan Haab
Skill level: Intermediate to Advanced (advanced mostly due to tool integration + reducing false positives + documentation quality)
Required skills: Git, CI/CD, basic security mindset, scripting, Docker, Linux, Python
Time commitment: part time or full time (175/350h)
About: Current code, infrastructure and CI/CD security practices vary in EBRAINS and the Neuroinformatics community. In many projects, they are only partially meeting security standards required by the Cyber Resilience Act (CRA) and NIS2. Using the Medical Informatics Platform (MIP) [1] as a PoC for demonstrating feasibility in the wider community, we want use the OWASP DevSecOps Maturity Model (DSOMM) [2], as the baseline to assess our current pipeline maturity, and the OWASP DevSecOps Guideline [3] as the reference for implementation. We have both Kubernetes-related IaC and software stacks that can be worked on. The MIP is a federated platform designed to help clinicians, clinical scientists, and clinical data scientists who want to adopt advanced analytics for clinical research. Users can explore harmonized medical data extracted from pre-processed neuroimaging, neurophysiological and medical records and research cohort datasets without transferring original clinical data.
Aims: This project starts with a DSOMM-based maturity snapshot that we will convert into an actionable implementation plan. We will implement the first controls of a “real” DevSecOps-enabled infrastructure for end-to-end quality and security of software. The outcome will be a working reference pipeline (IaC or application code) that produces security artifacts automatically (ex: scan reports, SBOM, policy results), demonstrating that high quality and secure software production is achievable in our community and reusable across teams. Finally, the contributor will package the results as a reusable “secure pipeline blueprint”. We will also plan upstream contributions to OWASP, should there be some discrepancies encountered in the OWASP guides and framework along the way.
Expected outcomes: There will be 3 phases, following the general GSoC calendar.
Phase 1: DSOMM baseline assessment + choose controls to implement (planning). Deliverables: DSOMM assessment report (simple matrix: current state → target maturity → chosen activities)
Phase 2: Implement DSOMM controls in pipelines and generate artifacts (main work). The amount of controls implemented depends on the time commitment.
Deliverables: Reference CI/CD pipeline implementation (GitHub Actions) with secret scanning, SCA+SBOM, IaC misconfiguration scanning or application SAST (depending on chosen focus of applicants) and Pipeline artifacts produced automatically (reports in CI artifacts, SARIF, SBOM files, policy checks, etc…)
Phase 3: Make it reusable, contribute upstream and polish documentation.
Deliverables: Documentation and developer workflow (ie. “how to fix findings, automatically or manually” and “how to adopt in another repo”) and finalize upstream contribution PRs (that could have been started during the project)
Tech keywords: Git, CI/CD, Security, Scripting, Kubernetes, Github workflows, SAST, Kubernetes, DevOps, DevSecOps, SARIF, SBOM, DSOMM
Resources:
[1] Medical Informatics Platform: Medical Informatics Platform | EBRAINS
[2] OWASP Devsecops Maturity Model: OWASP Devsecops Maturity Model | OWASP Foundation
[3] OWASP DevSecOps Guideline: OWASP DevSecOps Guideline | OWASP Foundation