search

18F / concourse-compliance-testing

Concourse CI assets for Compliance Toolkit
https://compliance-viewer.18f.gov/
Other
17 stars 7 forks source link

The ZAP scan should be tunable based on features of the target site. #77

Open DavidEBest opened 8 years ago

DavidEBest commented 8 years ago

https://18f.slack.com/archives/compliance-toolkit/p1461964310000617 and https://18f.slack.com/archives/dap/p1461963187000393

Static sites have a different security profile than a dynamic one. We should tune the scans to match.

afeld commented 8 years ago

@konklone Can you elaborate a bit on what sort of configuration changes you'd like to make?

konklone commented 8 years ago

For all of our sites, I'm not a fan of us using a threat model that tries to mitigate users' computers which have been owned. That's what the browser cache-related flags are about.

For static sites that have no capacity to receive or act upon user input, we should consider de-scoping some of the "security headers" flags. I think it will require more conversation than this thread to consider whether or not X-XSS-Protection can possibly be relevant to a static site, but if it's going to come up in scans for sites which may have no way to easily remediate them (e.g. S3/CloudFront combo sites), we should try to be thoughtful.

I also requested that dap.digitalgov.gov be given special treatment in some way when flagging third party services, since government sites are encouraged to use it and it's not as much of a "third" party as the other services it detects. Same for search.usa.gov. It looks like the scanner already doesn't bring up Google Analytics. We should confirm that that's deliberate and that we agree with it (I do).

For some common third parties, like Google Fonts, it would be helpful to link to specific remediation examples, like this one.

In general, I think the success of these scanning efforts will be tied closely to how high-signal they are to development teams. Those doing the scanning should try to make each flagged item as relevant, justified, and easy to fix as possible.

afeld commented 8 years ago

consider whether or not X-XSS-Protection can possibly be relevant to a static site

Cool, that's the kind of stuff I was looking for.

I also requested that dap.digitalgov.gov be given special treatment in some way when flagging third party services

👉 https://github.com/18F/concourse-compliance-testing/issues/76