afeld
commented
4 years ago There's a page about it in Before You Ship, if it helps.
Open greggles opened 4 years ago
afeld
commented
4 years ago There's a page about it in Before You Ship, if it helps.
greggles
commented
4 years ago That seems like a great resource. Maybe the section should actually be shortened and link to that.
Combination of manual review and automated testing. See [18f guide to security](https://before-you-ship.18f.gov/security/)
waldoj
commented
4 years ago @greggles, the security section is one entry in a sample contract artifact — the Quality Assurance Surveillance Plan — to actually be incorporated into an RFP. We cannot advise people to include the "Before You Ship" website into an RFP. The security component of the QASP is not intended to serve as a comprehensive security guide (we'd probably advise NIST 800-53 for that), but is simply an example of the sort of requirements that might be included within the security requirements within the QASP.
greggles
commented
4 years ago That's some great context, thanks.
I came to this document because it's in a potential set of recommendations to an organization. I read this section and felt concerned that the people receiving it as a recommendation would look at those 2 very specific tools, adopt them, and think they were done. Maybe that's a misplaced concern.
The security section currently reads:
The npm audit tool is a very necessary security check and it does kind of seem like static testing. However npm audit does not seem like a sufficient tool static testing tool. Similarly, ZAP is great but I believe it requires a skilled individual using it to be effective. I think there are maybe 3 levels of tools to consider:
I'd be happy to try to put together a PR if you agree.