My name is Lucian and I am SRE Observability Engineer at Mambu GmbH.
We are working on a custom solution based on Grafana(datasource Prometheus & Victoriametrics), and have some questions from security perspective as following:
How is the Grafana design performed ? Are you considering security requirements in architecture and design phase of the product and new features ?
Are you performing code reviews ? If yes, security checks are part of it ?
How dependencies are managed?
3.1 Are you scanning for vulnerable dependencies ?
3.2 How are dependencies reviewed before added to the product, and how vulnerable or non-maintained dependencies are handled ?
How the source code is checked for vulnerabilities (E.g. Static code analysis, penetration tests …) ?
How the build process is secured ?
Thank You .
SRE Observability Engineer