Skip to main content

POC Check list

checklist

Infrastructure

Virtual Machines​

  • Set up NGINX web server to allow hosting app outside of VM
  • Allow Application to consistently run or restart in case of VM shutdown (persistence)
  • Disaster Recovery
  • Networking access to Server
  • Authentication
  • Infrastructure as Code

Containerisation​

  • Set up application to run via containers
  • Locally
  • Push to client docker artificatory
  • CLIENT TODO: Hardened Images

SSL Certificates (Allow Access via HTTPS instead of IP)​

  • CLIENT TODO: Generate SSL Certificate to allow HTTPS access
  • Configure NGINX web server to do SSL handshakes
  • CLIENT TODO: Configure DPN DNS to find web application given a domain name

Database​

  • Provision
  • Install Database in VM
  • Set up Connectivity between Application and Database
  • Set up Service Accounts (for application and ops team)
  • Set up Initial Tables (Schema)
  • Hardening (Security)
  • Check with client any hardening guidelines
  • Handover (Client Ops Team need to manage this later)
  • Database in Azure (?) -

Database Scaling​

  • Create Index/views that allow faster querying (assuming we are only needing one DB for now and will scale vertically for now)

GraphQL/ HASURA​

  • Set up GraphQL/Hasura in PRN. This is a big one. We aligned on the technology and got the green light from DSTG to try and install it
  • Allow simulating client environment locally (Vagrant files) This is to develop infrastructure as code and enable
  • Connectivity between DB -> Hasura -> Application

Continuous Integration/Deployment​

  • Deploy webapp (manually first)
  • Deploy Simulation Engine( or already there?)
  • Repository to Repository Connectivity (similar to DT)
  • Automate syncing of the repositories
  • CLIENT TODO: coordinate how we can automate this process rather than asking in email given we have more repositories moving forward. (short term: consider mono-repo for all digital-twins? not scalable for production)
  • Automated creating a build and running automated tests against the build (Continuous Integration)
  • Automated Deployment on VM (Continuous Deployment)
  • CLIENT TODO: possible to deploy in nested VM?
  • Allow rollback on deployment issues
  • Application Versioning

Application

  • Configure Security Protocols
    • GitLeaks
    • SonarQube Code Scanning
    • Git Dependencies Scanning
  • Deploy web application (RAAF)Β This will be my happiest day on this project!
  • Integrate (using API/Database, Production State)
  • Simulation Engine to Web Application
  • Web Application to Simulation Engine
  • Web app -> Database -> Simulation Engine

Authentication/Authorization

  • User Access Control of users
  • Certificates?
  • Integrate with Client Single Sign On?
  • Password Authentications?

PerformanceΒ 

  • Caching (speed up the web application by caching certain responses that we don’t expect to easily change)
  • Minify JS files for faster loading times
  • Scale automatically (should we worry about this? expected number of concurrent users?)

Monitoring (For Production builds)

  • Figure out how to alert/monitor application if it goes down or if there is any issues
  • Persistent Storage of Application Logs for Tracing and Debugging any Issues in a production System.
  • Performance Monitoring/Load Test Benchmark

Security Checklist

  • Database Hardening (Patches, Authorization/Authentication, Service Accounts, Network Ports, Encryption)
  • Application Security (OWASP Top 10, CWE Top 25, SANS TOP 25)
  • Network Security (HTTP/s, Ports)
  • Are non-public facing servers hidden from the public? (DB, Simulation Engines, Backend, etc)
  • User Management (Database Users, Web application User)
  • Data Storage Security (Encryption, Accessibility, Retention, Backup & Recovery)
  • Necessary Data Compliance? (iso 27001, ISO 9001, IEC, Cyber Security Standards, SOC, etc)
  • Storage of sensitive configurations/keys
  • Rotations
  • Zero Trust Policy

Documentation

  • Overall Architecture
  • Infrastructure
  • Setting up Machines
  • Decision Registry
  • Security Registry