Open MorganRodgers opened 4 years ago
I believe the most applicable guide for this project would be this one:
https://www.stigviewer.com/stig/application_security_and_development/2018-12-24/MAC-3_Classified/
I selected the MAC 3 classified profile since a lot of DoE labs operate classified equipment.
A lot of the controls probably aren't applicable. For example, V-70399 "Procedures must be in place to notify users when an application is decommissioned." isn't going to apply to the application. In that case you'd say something like "Not applicable - administrators are responsible for decommissioning their instances should development cease."
Most of the time you see these things as Excel or XML documents. I'm not entirely sure what the best way to collaborate on such a thing might be. Maybe some kind of Google Doc?
As for collaborating, what would the table look like? I see on that linked page an Excel or XML or JSON can be downloaded but it looks like that just contains a list of all the Finding IDs and related check text that can be found on the details page of each Finding. Are you imagining we do something like this:
Finding ID | Status |
---|---|
V-69343 | It could be said this is possible if the federated authentication that Apache is configured with is properly configured. However, since one of our recommendations is using Keycloak or CILogon, and are considering to default to CILogon, perhaps we should see if this is an option? TODO: Insert link to GitHub issue we opened for this |
V-70399 | Not applicable - administrators are responsible for decommissioning their instances should development cease |
V-70385 | TODO: Insert link to coding standards |
Or would the table be more complex? If we did something simple like above one option is to use restructured's list tables. GitHub can render this in a restructured file in the root of this repo or as a page in the wiki.
In practice these things are usually submitted via Excel workbook so the security folks can check off the list. But, it's probably better to start a markdown table then, once that's filled out, move on to an Excel sheet with check texts, fix texts, and whatnot.
I setup a checklist and team on https://ondemand.vaulted.io. Maybe a tool like that would be helpful? I took these steps:
288 not reviewed!
Looks like a nice interface with conversation, tags, and text field to put "Finding details" and "Comments":
@nealepetrillo I'm happy to send an invite to you if you are interested. Do you know about this tool?
Awesome! Haven't heard about that tool but looks like a good fit. I signed up and will review in the next day or two.
review relevant standards, maybe ask Kyle about current efforts
In a nutshell STIG is a security self assessment, and we were told that this would assist with uptake for US federal HPC sites.
https://csrc.nist.gov/glossary/term/security-technical-implementation-guide
┆Issue is synchronized with this Asana task by Unito