Production Security Approval

[JohnNKing]

Backlog Task

Work with our CDC security contact to perform Fortify scans on our code base.

Completion Criteria

• [x] Fortify scan completed and results shared securely with the team.
• [x] Depending on severity, additional tasks are created to address the Fortify scan findings.

Tasks

• [x] SoftwareAssurance@cdc.gov is the contact address
• [x] Document Process for requesting access to this in Notion
• [x] Verify if this is a one time scan or ongoing?
• [x] If ongoing, how to auto upload as part of our pipeline?
• [x] Update onboarding checklist to have people add themselves after they have a CDC account.
  • [x] Add documentation on notion to show how to apply to the CDC ent repo. (https://github.com/cdcent/ocio-fortify)
• [x] Add SFTP app to Fortify
• [x] Developers request access for themselves to the trusted intermediary and the sftp-ingestion service in Fortify portal
• [x] Add new readme to fortify repo
• [x] Figure out how we check/ keep track of the fortify scan results.
  • [x] Mark false positives as such. - @halprin
  • [x] Make backlog tickets for real issues.
  • [x] Sent e-mail to Stephanie. - @halprin
  • [x] More e-mails with Jason Blackburn. - @halprin
  • [x] Figure out what the overall process is and document it. - @halprin
• [x] Add team reminders for trusted-intermediary and sftp ingestion token expirations - @JohnNKing
• [x] Peter to send Jeff some SH&T - @halprin

[scleary1cs]

Combine with #721?

Answer = no

[scleary1cs]

Ensure "additional automated security scanning (could be informed by the ISSO)." Per Eng Block on 1/17/24

[scleary1cs]

Need to be in citrix remote desktop:

https://docs.cdc.gov/docs/devsecops/services/code-scan/fortify

[jcrichlake]

I requested access to fortify from the cdc sharepoint form and am awaiting a response. After I hear back I can request access for everyone on the team

[jcrichlake]

I just emailed the SoftwareAssurance team at the cdc to follow up on the access to fortify scans. I haven't received any word from them so figured I'd give them a poke to get a status update.

[jcrichlake]

This is in progress and confirmed that the information I gave to the Fortify team is sufficient.

[scleary1cs]

This should be for both the intermediary and the ingestion service.

[saquino0827]

Finished our first pass on Fortify. We marked what we thought were false positives and set the remaining issues as under review due to needing research or a group decision to be made.