antonio-bravo / globaldevopsexperience_gdex-afterevent

0 stars 1 forks source link

Challenge 4: Enhancing System Security in Response to Industry Breach #15

Open antonio-bravo opened 5 months ago

antonio-bravo commented 5 months ago

Challenge 4: Enhancing System Security in Response to Industry Breach

As the CISO of Globoticket, I want to implement rigorous security practices to ensure our systems are fortified against vulnerabilities similar to those that led to a competitor's significant data breach. This proactive approach will help maintain customer trust and ensure the security of sensitive information. To overcome this, we have purchased the tool GitHub Advanced Security to help addressing these issues.

Why:

Acceptance Criteria:

  1. Security Tool Activation:

    • Enable GitHub Advanced Security (GHAS) along with all its separate features to scan and monitor our repository for vulnerabilities.
  2. Software Bill of Materials (SBOM):

    • Export an SBOM and rename it into sbom.json. Create a folder on the main branch called sbom and put the exported sbom.json in it for a detailed audit and tracking of all components used in our software.
  3. Dependency Management:

    • Address all Dependabot alerts, prioritizing fixes from critical to high and then medium, ensuring all dependencies are up-to-date and secure.
  4. Code Quality Assurance:

    • Resolve all CodeQL alerts, either by fixing the issues directly or dismissing them as false positives after thorough evaluation.
  5. OWASP Compliance Check:

    • Conduct a comprehensive check for common OWASP vulnerabilities, particularly SQL Injection. Transition to using SQL parameters to prevent such risks.
    • Utilize GitHub Copilot to assist in identifying and resolving these security issues effectively.

Challenge Tasks:


"Security is not a product, but a process." - Bruce Schneier