HHS / OPRE-OPS

ACF's OPRE OPS product. Code name Unicorn.
Other
12 stars 3 forks source link

Decide on security analysis tools #36

Closed carjug closed 3 years ago

carjug commented 3 years ago

We want to decide on security tools that we can integrate into our development and continuous integration processes.

Type of Check Alex Carly Amy
Dependency scanning GitHub Dependabot Snyk, but open to hearing about others! Snyk
Static analysis for security GitHub CodeQL Not sure. Open to opinions Bandit
Application scanning OWASP Zap OWASP Zap Not sure, Open to anything you choose
alexsoble commented 3 years ago

Moved over the dependency scanning and static analysis rows from #35.

alexsoble commented 3 years ago

Also added a new line for application scanning, this is the category that OWASP ZAP would fall into. Here's how I would think about the different kinds of tools:

carjug commented 3 years ago

Sounds good to me, Alex! Thanks for moving things over.

alexsoble commented 3 years ago

☝️ All 3 engineers have already started adding ideas here async, so I'm going to move this from TODO to In Progress!

alexsoble commented 3 years ago

We can learn from the TANF Data Portal project here.

They started off with Snyk but then moved to GitHub Native Dependabot.

The team wrote about their reasons why in an ADR!

https://github.com/raft-tech/TANF-app/blob/raft-tdp-main/docs/Architecture%20Decision%20Record/016-dependabot-dependency-management.md

alexsoble commented 3 years ago

... however, it looks like GitHub Native Dependabot isn't quite ready for Enterprise yet: https://github.com/dependabot/dependabot-core/issues/2149

alexsoble commented 3 years ago

... but I do see TTA SmartHub using it via the HHS GitHub org! So looks like it's likely available after all! https://github.com/HHS/Head-Start-TTADP/pull/487

alexsoble commented 3 years ago

Using GitHub-provided Dependabot and GitHub-provided CodeQL would simplify the compliance. (See discussion over in #55, https://github.com/18F/OPRE-Unicorn/issues/55#issuecomment-881065543.) Also, CodeQL is getting some rave reviews over in Slack and catching security bugs that weren't caught by other layers of tooling/review.

carjug commented 3 years ago

I'm all for using the GitHub-provided services given the simplicity of keeping things all in one place and also the fact that people are loving 💓

amymok commented 3 years ago

It looks like Snyk does have more functionalities than Dependabot. Dependabot mostly focus on dependencies, but Snyk also scan the code for other types of security issues. The question would be, can other tools we are using here also can fill in those functions?

alexsoble commented 3 years ago

@amymok CodeQL can fill in the static analysis code-scanning piece!

alexsoble commented 3 years ago

@amymok @carjug Do we have consensus that GitHub Dependabot and GitHub CodeQL will be our preferred third-party tools, or are there questions/concerns we want to discuss at next week's eng cowork? Either way is OK with me

carjug commented 3 years ago

Dependabot and CodeQL are good with me :) open to either as well though.

amymok commented 3 years ago

I don't have any concerns. I am good with Dependabot and CodeQL. I am assuming we also have the consensus on OWASP Zap? Do we need to check compliance or anything on that?

alexsoble commented 3 years ago

@amymok OWASP ZAP gets pulled in as a Docker image, as opposed to being a third-party external service that we integrate with. So kind of similarly to flake8 or coverage.py, I'd treat it as a library we're using, not an external service we need to get compliance sign-off on.

alexsoble commented 3 years ago

I'll pick this one up since we finished out the ADR for CI/CD