Buypass: Findings in 2023 audit
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: mads.henriksveen, Assigned: mads.henriksveen)
Details
(Whiteboard: [ca-compliance] [audit-finding])
Audit Incident Report
Finding #1
PHYSICAL SECURITY REVIEWS
The process for reviewing Physical Security authorisations are not effectively performed.
Root Cause Analysis
The internal control for the physical access rights was not conducted as scheduled due to an accidental deletion of the internal control in the schedule program. In addition, the controls were not included in the periodic review of performed controls.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Add internal control for physical access rights back into the schedule | Prevent | DONE |
| Include control for physical access in quarterly review of implemented controls | Prevent | DONE |
| Ensure all internal controls are included in the quarterly review | Prevent | DONE |
Finding #2
CERTIFICATE PROFILE CONFIGURATION
Buypass did not effectively implement the certificate profile change regarding Subject Attribute Encoding pursuant to CABF BR 7.1.4.2.
The subject attributes were not encoded in the relative order as they appear in the BR-table for the attribute.
This finding has already been self-reported in https://bugzilla.mozilla.org/show_bug.cgi?id=1864204
Root Cause Analysis
Buypass has used inhouse developed CA-systems for many years and always configured certificate content by defining the structure in a Certificate Profile.
The Subject attributes in the Certificate Profiles were configured according to BR v2.0.0. We verified that the order of the Subject attributes in the certificate was the same as in the Certificate Profiles. This verification was done by using Windows Certificate Viewer.
Our certificate issuance system reversed the order of Subject attributes from the Certificate Profile before writing them to the certificate file. Windows Certificate Viewer also reverses the order of the Subject attributes after reading the certificate file before presentation.
In combination, we were confident that we had proper control of the certificate configuration.
The linters used do not focus on the order of Subject attributes as defined in BR 2.0.0, and did not report any issue.
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Improve the change process for such configuration changes, i.e. to include a verification at file level | Prevent | DONE |
| Include digicert/pkilint in the certificate issuance process | Prevent | 2024-02-01 |
Thanks Mads for the reported findings!
Just a few quick questions on the first one:
-
Have you identified the Root Cause of the deletion? Was it e.g. a Google Doc someone accidentally selected a part of and replaced it? Do you have any additional steps you're taking to ensure this won't happen again?
-
Have you identified any other missing controls or data? I'm guessing not, just asking to confirm.
-
What's the period you did not check physical access rights for? (Between last check and finding out and performing a new check) Were there any findings in that period?
|
Assignee | |
Comment 2•2 years ago
|
||
(In reply to Antonis from comment #1)
Thanks Mads for the reported findings!
Just a few quick questions on the first one:
Have you identified the Root Cause of the deletion? Was it e.g. a Google Doc someone accidentally selected a part of and replaced it? Do you have any additional steps you're taking to ensure this won't happen again?
Have you identified any other missing controls or data? I'm guessing not, just asking to confirm.
What's the period you did not check physical access rights for? (Between last check and finding out and performing a new check) Were there any findings in that period?
-
The deletion was due to a human error who accidentally deleted the control during an update of the schedule. All scheduled controls are included in a quarterly review to ensure this won't happen again.
-
We have not identified any other missing controls or data.
-
The control was missing in a period from April to October 2023. The control was done immediately after discovery, and no findings were made for the period.
|
||
Updated•2 years ago
|
Thanks for the response!
I think these answers are reasonable, and I'd suggest for #1 to perhaps look more into a versioning system, ideally with some automation to check that on every edit.
From what I understand, the same reason could not delete an entire control and go unnoticed, but also a sentence or paragraph or work from another.
During schedule updates or any other control changes, do you have a change management process where someone reviews a diff of the proposal? It would be easier to notice if someone had to review a request deleting and not replacing that with anything.
|
|
Assignee | |
Comment 4•2 years ago
|
||
Thank you for your comment and suggestions, we will take them into consideration.
|
|
Assignee | |
Comment 5•2 years ago
|
||
We have included digicert/pkilint in the certificate issuance process today - slightly delayed according to plan.
Here is an update on the Action items:
Action Items
| Action Item | Kind | Due Date |
|---|---|---|
| Improve the change process for such configuration changes, i.e. to include a verification at file level | Prevent | DONE |
| Include digicert/pkilint in the certificate issuance process | Prevent | DONE |
|
|
Assignee | |
Comment 6•2 years ago
|
||
We have no new information in this bug.
|
|
Assignee | |
Comment 7•1 years ago
|
||
We have no new information in this bug.
|
|
Assignee | |
Comment 8•1 year ago
|
||
We have no new information in this bug.
All action items are done and if there is no more comments or questions, we kindly request this bug to be closed.
|
|
||
Comment 9•1 year ago
|
||
I'll close this on or about Friday, 15-Mar-2024, unless there is a need for further discussion.
|
|
||
Updated•1 year ago
|
Description
•