Decide on security analysis tools

[carjug]

We want to decide on security tools that we can integrate into our development and continuous integration processes.

Type of Check	Alex	Carly	Amy
Dependency scanning	GitHub Dependabot	Snyk, but open to hearing about others!	Snyk
Static analysis for security	GitHub CodeQL	Not sure. Open to opinions	Bandit
Application scanning	OWASP Zap	OWASP Zap	Not sure, Open to anything you choose

[alexsoble]

Moved over the dependency scanning and static analysis rows from #35.

[alexsoble]

Also added a new line for application scanning, this is the category that OWASP ZAP would fall into. Here's how I would think about the different kinds of tools:

• Dependency scanning: Reads our dependency files, lets us know when a dependency needs an upgrade due to a vulnerability.
• Static analysis for security: Reads our source code, looks for patterns in the code that tend to be associated with unsafe coding practices.
• Application scanning: Visits the application [either a local version spun up during CI/CD, or a deployed development site, or prod] and scans for common security misconfigurations.

[carjug]

Sounds good to me, Alex! Thanks for moving things over.

[alexsoble]

☝️ All 3 engineers have already started adding ideas here async, so I'm going to move this from TODO to In Progress!

[alexsoble]

We can learn from the TANF Data Portal project here.

They started off with Snyk but then moved to GitHub Native Dependabot.

The team wrote about their reasons why in an ADR!

https://github.com/raft-tech/TANF-app/blob/raft-tdp-main/docs/Architecture%20Decision%20Record/016-dependabot-dependency-management.md

[alexsoble]

... however, it looks like GitHub Native Dependabot isn't quite ready for Enterprise yet: https://github.com/dependabot/dependabot-core/issues/2149

[alexsoble]

... but I do see TTA SmartHub using it via the HHS GitHub org! So looks like it's likely available after all! https://github.com/HHS/Head-Start-TTADP/pull/487

[alexsoble]

Using GitHub-provided Dependabot and GitHub-provided CodeQL would simplify the compliance. (See discussion over in #55, https://github.com/18F/OPRE-Unicorn/issues/55#issuecomment-881065543.) Also, CodeQL is getting some rave reviews over in Slack and catching security bugs that weren't caught by other layers of tooling/review.

[carjug]

I'm all for using the GitHub-provided services given the simplicity of keeping things all in one place and also the fact that people are loving 💓

[amymok]

It looks like Snyk does have more functionalities than Dependabot. Dependabot mostly focus on dependencies, but Snyk also scan the code for other types of security issues. The question would be, can other tools we are using here also can fill in those functions?

[alexsoble]

@amymok CodeQL can fill in the static analysis code-scanning piece!

[alexsoble]

@amymok @carjug Do we have consensus that GitHub Dependabot and GitHub CodeQL will be our preferred third-party tools, or are there questions/concerns we want to discuss at next week's eng cowork? Either way is OK with me

[carjug]

Dependabot and CodeQL are good with me :) open to either as well though.

[amymok]

I don't have any concerns. I am good with Dependabot and CodeQL. I am assuming we also have the consensus on OWASP Zap? Do we need to check compliance or anything on that?

[alexsoble]

@amymok OWASP ZAP gets pulled in as a Docker image, as opposed to being a third-party external service that we integrate with. So kind of similarly to flake8 or coverage.py, I'd treat it as a library we're using, not an external service we need to get compliance sign-off on.

[alexsoble]

I'll pick this one up since we finished out the ADR for CI/CD