Skip to content

security: document ISO/IEC 27001 compliance and enable TLS by default #569

Description

@kcenon

What

OpenSSL is an opt-in feature today (CMakeLists.txt:184-189). For production defaults, OpenSSL should be enabled by default, and the repository should document how the project maps to ISO/IEC 27001 A.10 (cryptography) and A.13 (communication security).

  • Current: OpenSSL optional; no ISO 27001 compliance docs
  • Expected: OpenSSL ON by default; docs/compliance/ISO_27001.md added
  • Scope: CMakeLists.txt, docs/compliance/**, vcpkg.json defaults

Why

  • Shipping a database client with TLS off-by-default is a security smell
  • Enterprise adopters ask for ISO 27001 evidence at procurement time
  • Brings database into line with logger_system and pacs_system security stance

How

Technical Approach

  1. Flip USE_OPENSSL default to ON, keep opt-out for minimal embedded builds
  2. Verify secure_connection.h covers TLS 1.2+ and certificate validation
  3. Author docs/compliance/ISO_27001.md mapping A.10 / A.13 controls to features
  4. Update README with a "Security posture" section

Acceptance Criteria

  • TLS on by default; CI covers both OpenSSL-on and -off builds
  • Compliance doc published
  • README links to security posture section

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions