NASA-AMMOS / slim

Software Lifecycle Improvement & Modernization
https://nasa-ammos.github.io/slim/
Apache License 2.0
27 stars 9 forks source link

[New Process Improvement Need]: Recommended A&A Best Practices #48

Open riverma opened 2 years ago

riverma commented 2 years ago

Checked for duplicates

Yes - I've already checked

Category

Security - application, network, hardware, etc. security topics

Describe the need

We have a need for:

+1'd from @LucaCinquini @mcduffie

riverma commented 2 years ago

@ramesh-maddegoda has done some great work on this for the Unity SDS project. It'd be really great to share the general best practices he developed in SLIM.

ramesh-maddegoda commented 2 years ago

@ramesh-maddegoda has done some great work on this for the Unity SDS project. It'd be really great to share the general best practices he developed in SLIM.

@riverma, We have most of our security related topics documented under https://github.com/unity-sds/unity-cs/wiki#security as follows.

Some of these topics are generic and some are Unity specific. Should we have these docs written in a generic way (can be applicable in any project)? If those have to be generic, we will have to write few new wiki pages in a generic way.

riverma commented 2 years ago

Wow. This is really great stuff @ramesh-maddegoda! Thanks for sharing. Let me look over this and offer some thoughts. I think some generic versions of your guides could be really great, and maybe even some sort of automation that sets things up. Have to look a bit more into what you've been working on in detail.

CC @jpl-jengelke @jpl-btlunsfo for cognizance.

ramesh-maddegoda commented 2 years ago

In addition, we also have some code examples implemented as follows, so the developers can use those as reference implementations.

1) HySDS UI - authentication with Auth 2.0 Authorization Code Grant with PKCE (Proof Key for Code Exchange)

2) Secured RESTful API - protected with API Gateway

3) REST API Consumer - authentication with Auth 2.0 Client Credential Grant for app-to-app (machine-to-machine) communication.

riverma commented 2 years ago

@ramesh-maddegoda - had some time to go through your material, and wow! You've done such a comprehensive and thorough job - thanks so much for sharing. You're rocking the security work!

Wanted to brainstorm which aspects of your work could be most helpful to the SLIM community.

Here's an idea I was thinking: a push-button instantiation of your security architecture to support the Earthdata auth / JPL auth integrated security layer around a pre-existing API or web-UI running on AWS. In other words, we could generalize / publish a limited set of your docs along with the requisite Terraform (or other tool) to automatically spin up the AWS infrastructure needed. This is in-line with our philosophy of automation > guides.

I can imagine several projects benefiting from something like that, but I wonder if Unity devs would even benefit from instantiating a test venue to test out their app's security before integration with U-CS.

Let me know your thoughts! @jpl-jengelke FYI.

riverma commented 1 year ago

+1'd by @nttoole @galenatjpl @kgrimes2, @pymonger

galenatjpl commented 1 year ago

@awdtinio   Given all of the recent confusion, and efforts in various projects related to A&A, I suggested in a SLIM meeting today, that SLIM think about ways that they can help to alleviate/streamline A&A efforts in the future.  These could be ways to proactively use security best practices, and proactively address the A&A “controls”. Rishi created a ticket here, where we are starting to gather thoughts. I mentioned that you might be a good point of contact to provide some information about what the controls are (is there an overall list?), and also might have some thoughts about this area, since you have been involved in this.  So feel free to chime in on this ticket, if you have any ideas.