This document provides an overview of how SnapApp aligns with the CIS Benchmark recommendations for the Google Cloud Platform (GCP).

The CIS Benchmark is a set of widely accepted security best practices designed to help organizations run cloud environments securely.
While SnapApp follows many industry best practices by default, this document focuses specifically on those areas that are relevant to the CIS Benchmark.

The intent of this document is to clearly explain these practices in a way that is easy to read and understand, even for readers who may be new to cloud security or GCP.

Table of Contents

• Table of Contents
• Cloud Storage
• 1. Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible
• 2. Ensure That Cloud Storage Buckets Have Uniform Bucket Level Access Enabled
• Cloud SQL (MySQL)
• 1. Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges
• 2. Ensure ‘Skip_show_database’ Database Flag for Cloud SQL MySQL Instance Is Set to ‘On’ (Automated)
• 3. Ensure That the ‘Local_infile’ Database Flag for a Cloud SQL MySQL Instance Is Set to ‘Off’ (Automated)
• 4. SnapApp uses Cloud SQL MySQL and the Postgres recommendations are not applicable
• Code Security \& Best Practices
• 1. Static Code analysis using SonarQube
• 2. Unit Tests and Integration Tests
• 3. Mozilla Observatory
• 4. Private Code Repository
• 5. Trivy / tfsec for Terraform
• 6. GCP Web Security Scanner
• Logging \& Monitoring
• 1. Monitoring Dashboard
• 2. Logging
• VPC \& Networking
• 1. SnapApp uses a custom VPC Network
• 2. SSH access is restricted from the Internet
• 3. RDP access is restricted from the Internet. SnapApp does not use any Windows VM.
• 4. Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

Cloud Storage

1. Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible

All Cloud Storage buckets used by SnapApp are not publicly or anonymously accessible by default.
This ensures that data stored in these buckets cannot be accessed by unauthorized users over the internet.

The only exception is a designated public bucket, which is intentionally created to store assets that are meant to be publicly available, such as:

• Images
• Custom stylesheets
• Favicons
• Other static resources that need to be accessible by users

No sensitive or restricted data is stored in this public bucket.

2. Ensure That Cloud Storage Buckets Have Uniform Bucket Level Access Enabled

All Cloud Storage buckets in SnapApp have Uniform Bucket-Level Access enabled.

This means: - Access permissions are managed at the bucket level - Individual object-level permissions are not used

This approach simplifies access management and reduces the risk of accidental misconfiguration.
These settings are also enforced through Infrastructure as Code (IaC) using Terraform, ensuring consistency across environments.

Cloud SQL (MySQL)

SnapApp uses Google Cloud SQL with MySQL for database services.

1. Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges

To prevent unauthorized administrative access:

• The default root account is disabled
• A custom MySQL user is created when a new Cloud SQL instance is provisioned
• Strong password requirements are enforced for this user

This ensures that administrative privileges are tightly controlled.

2. Ensure ‘Skip_show_database’ Database Flag for Cloud SQL MySQL Instance Is Set to ‘On’ (Automated)

• This database flag is currently not enforced
• In practice, this does not introduce significant risk because:
• Each Cloud SQL instance typically contains only one user-created database
• No additional user databases exist apart from system databases

3. Ensure That the ‘Local_infile’ Database Flag for a Cloud SQL MySQL Instance Is Set to ‘Off’ (Automated)

• This database flag is currently not enforced
• The current database usage pattern minimizes exposure related to this setting

4. SnapApp uses Cloud SQL MySQL and the Postgres recommendations are not applicable

SnapApp uses MySQL as its database engine, therefore CIS recommendations related to PostgreSQL are not applicable.

In addition to the CIS controls mentioned above, SnapApp follows several additional database best practices:

• Minimized access points
• Public IP access is disabled by default
• Private IP is used within a VPC (this may vary by deployment)
• Uses MySQL version 8.0 or higher
• Strong passwords are used
• Passwords are randomly generated and securely stored
• Binary logging is enabled
• Automated backups are enabled
• Maintenance windows are configured
• Disk capacity is set to automatically increase when required
• Each table has a primary key
• Connection pooling is used
• Delete protection is enabled

References:

• Hardening MySQL overview
• MySQL Best Practices

Code Security & Best Practices

1. Static Code analysis using SonarQube

SnapApp uses SonarQube for continuous code quality and security analysis.

SonarQube helps identify: - Code smells - Bugs - Security vulnerabilities - Duplicate code

This improves code maintainability, strengthens security, and reduces long-term technical debt.

2. Unit Tests and Integration Tests

• Unit tests and integration tests are run frequently
• These tests ensure that:
• Individual components work correctly
• The application behaves as expected as a whole

3. Mozilla Observatory

Mozilla Observatory is used to evaluate web application security best practices.

SnapApp’s public security report can be viewed here:

https://observatory.mozilla.org/analyze/snapapp.com

4. Private Code Repository

• The SnapApp codebase is stored in a private repository
• Secrets are not stored in the codebase
• Passwords, API keys, and secrets are stored securely in Google Secret Manager

5. Trivy / tfsec for Terraform

• Trivy is used to scan Terraform code for security misconfigurations
• This helps identify infrastructure security issues before deployment

6. GCP Web Security Scanner

• Web Security Scanner jobs are run periodically
• These scans help detect vulnerabilities in the deployed application

Logging & Monitoring

1. Monitoring Dashboard

• SnapApp uses Google Cloud Monitoring
• Dashboards provide visibility into:
• Application health
• Infrastructure performance
• Service availability

2. Logging

• All application logs are stored in Google Cloud Logging
• Cloud Audit Logging is enabled to track administrative and access-related activities

VPC & Networking

1. SnapApp uses a custom VPC Network

• SnapApp uses a custom Virtual Private Cloud (VPC)
• Resources such as:
• Cloud SQL
• Cloud Run
• Redis
  are deployed within this private network

2. SSH access is restricted from the Internet

• SSH access from the public internet is restricted to reduce attack surface

3. RDP access is restricted from the Internet. SnapApp does not use any Windows VM.

• RDP access is restricted
• SnapApp does not operate any Windows virtual machines

4. Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites

• SnapApp uses TLS version 1.2 or higher for SSL certificates
• Weak or outdated cipher suites are not permitted