Skip to content

SoAR and Compliance

Jump to bottom
Walter Moar edited this page Oct 3, 2023 · 19 revisions

Home > About CHEFS > SoAR and Compliance

SoAR and Compliance Procedures

The Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR) describes how the security of CHEFS is to be maintained. The following procedures are used to stay in compliance with the SoAR.

Dependabot

The section "Assessment", subsection "Vulnerability Management" states:

GitHub’s Dependabot is enabled for enforced for security alerts. Dependency package security audits are done periodically for the main CHEFS image which is updated regularly.

CHEFS is on a two week sprint schedule, and this review happens before every sprint planning meeting. In the common-hosted-form-service GitHub repository check the Security > Dependabot alerts. Create a JIRA item in the Backlog for new alerts using the template:

  • Type: Task
  • Title: Dependabot Vulnerability Alert for <PACKAGE_NAME>
  • Description:
    The GitHub Dependabot process has created an alert for the <PACKAGE_NAME> dependency. To satisfy the requirements outlined in the Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR), this vulnerability must be handled by updating the package version (or mitigated in some other way, if updating the package is not possible).
    https://github.com/bcgov/common-hosted-form-service/security/dependabot/<DEPENDABOT_ID>
  • Epic Link: CHEFS DevOps

Update the log at the end of this page to show that this step has been completed.

During sprint planning arrange for the new JIRA item to be included in the sprint.

OWASP Zap Scan

The section "Findings and Conclusion" states:

The CHEFS Team has remediated all medium vulnerabilities identified in OWASP ZAP scan conducted by NRS. Also, they have added the OWASP ZAP tool into the CHEFS development pipeline.

Although the ZAP scan vulnerabilities were remediated, the scan results must be monitored for new vulnerabilities.

CHEFS is on a two week sprint schedule, and this review happens before every sprint planning meeting. In the common-hosted-form-service GitHub repository open the Issue called ZAP Full Scan Report. At the bottom of the issue follow the link to retrieve the zap_scan artifact. Create a JIRA item in the Backlog for new alerts using the template:

  • Type: Task
  • Title: OWASP ZAP Scan Vulnerability <VULNERABILITY_NAME>
  • Description:
    The OWASP Zap Scan process has identified a <VULNERABILITY_RISK_LEVEL> risk level vulnerability:
    > <VULNERABILITY_DESCRIPTION>
    To satisfy the requirements outlined in the Security Threat and Risk Assessment's (STRA) Statement of Acceptable Risks (SoAR), this vulnerability must be remediated.
  • Epic Link: CHEFS DevOps

Update the log at the end of this page to show that this step has been completed.

During sprint planning arrange for the new JIRA item to be included in the sprint.

Log

Date Dependabot OWASP Zap Scan
2023-10-12

Table of Contents

Clone this wiki locally