SPA Initial Code Examination
SPA Initial Code Examination
Areas found that need improvement:
- The code is in two languages, C and Perl, with Perl old/largely unsupported.
- This is proof-of-concept code, so it is limited in a number of ways:
- ICMP support is lacking
- Configuration file information supports exactly one user
- Server access to GPG is problematic/insecure
- No installation script for server or client
- Documentation is laced with grammatical/spelling errors
- Additional concern as GPG (used for key management) is not quantum safe.
To remedy these areas, the following is proposed:
- Switch to a single programming language if possible
- Minimally C for all of the server-side code, unknown for clients (python? C?)
- Use quantum-resistant algorithms as needed.
- Develop a system for storage/usage of sensitive key information:
- There should be a "test" installation method that does not use the sensitive key storage to allowing for trial/testing of the program.
- It could be HashiCorp Vault, but it should support other methods/designs.
- Expand user support to include multiple users.
- Develop installation scripts.
- Clean up and improve documentation.
Edited by Simple Nomad