-
Notifications
You must be signed in to change notification settings - Fork 45
SoAR and Compliance
Home > About CHEFS > SoAR and Compliance
The Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR) describes how the security of CHEFS is to be maintained. The following procedures are used to stay in compliance with the SoAR.
The section "Assessment", subsection "Vulnerability Management" states:
Advanced Cluster Security (ACS) is used by the CHEFS Team to identify, prioritize, and address security risks and vulnerabilities in the CHEFS application, including images, pods, and configurations.
CHEFS is on a two week sprint schedule, and this review happens before every sprint planning meeting. In Red Hat ACS ensure that the top item in the Images most at risk
has a JIRA item created for it. If not, create a JIRA item in the Backlog using the template:
- Type: Task
- Title: ACS Image most at risk: <IMAGE_NAME>
- Description:
The Red Hat Advanced Cluster Security (ACS) application has identified the image <IMAGE_NAME> as being most at risk. To satisfy the requirements outlined in the Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR), this image must be updated to resolve fixable vulnerabilities (or mitigated in some other way, if updating the image is not possible). - Epic Link: CHEFS DevOps
Update the log at the end of this page to show that this step has been completed.
During sprint planning arrange for the new JIRA item to be included in the sprint.
The section "Assessment", subsection "Vulnerability Management" states:
GitHub’s Dependabot is enabled for enforced for security alerts. Dependency package security audits are done periodically for the main CHEFS image which is updated regularly.
CHEFS is on a two week sprint schedule, and this review happens before every sprint planning meeting. In the common-hosted-form-service
GitHub repository check the Security
> Dependabot
alerts. Create a JIRA item in the Backlog for new alerts using the template:
- Type: Task
- Title: Dependabot Vulnerability Alert for <PACKAGE_NAME>
- Description:
The GitHub Dependabot process has created an alert for the <PACKAGE_NAME> dependency. To satisfy the requirements outlined in the Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR), this vulnerability must be handled by updating the package version (or mitigated in some other way, if updating the package is not possible).
https://github.com/bcgov/common-hosted-form-service/security/dependabot/<DEPENDABOT_ID> - Epic Link: CHEFS DevOps
Update the log at the end of this page to show that this step has been completed.
During sprint planning arrange for the new JIRA item to be included in the sprint.
The section "Findings and Conclusion" states:
The CHEFS Team has remediated all medium vulnerabilities identified in OWASP ZAP scan conducted by NRS. Also, they have added the OWASP ZAP tool into the CHEFS development pipeline.
Although the ZAP scan vulnerabilities were remediated, the scan results must be monitored for new vulnerabilities.
CHEFS is on a two week sprint schedule, and this review happens before every sprint planning meeting. In the common-hosted-form-service
GitHub repository open the Issue
called ZAP Full Scan Report
. At the bottom of the issue follow the link to retrieve the zap_scan
artifact. Create a JIRA item in the Backlog for new alerts using the template:
- Type: Task
- Title: OWASP ZAP Scan Vulnerability <VULNERABILITY_NAME>
- Description:
The OWASP Zap Scan process has identified a <VULNERABILITY_RISK_LEVEL> risk level vulnerability:
> <VULNERABILITY_DESCRIPTION>
To satisfy the requirements outlined in the Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR), this vulnerability must be remediated. - Epic Link: CHEFS DevOps
Update the log at the end of this page to show that this step has been completed.
During sprint planning arrange for the new JIRA item to be included in the sprint.
Date | ACS | Dependabot | OWASP Zap Scan |
---|---|---|---|
2023-10-12 |