Challenge 4: Enhancing System Security in Response to Industry Breach
As the CISO of Globoticket, I want to implement rigorous security practices to ensure our systems are fortified against vulnerabilities similar to those that led to a competitor's significant data breach. This proactive approach will help maintain customer trust and ensure the security of sensitive information. To overcome this, we have purchased the tool GitHub Advanced Security to help addressing these issues.
Why:
Industry Breach Alert: A major competitor has suffered a data breach involving thousands of credit card records due to vulnerabilities in the System.Data.SqlClient package. This incident has raised concerns about the potential risks in our own systems.
Immediate Action Required: The urgency is highlighted by our CISO's concern about our exposure to similar vulnerabilities, prompting a comprehensive review and update of our security practices.
Acceptance Criteria:
Security Tool Activation:
Enable GitHub Advanced Security (GHAS) along with all its separate features to scan and monitor our repository for vulnerabilities.
Software Bill of Materials (SBOM):
Export an SBOM and rename it into sbom.json. Create a folder on the main branch called sbom and put the exported sbom.json in it for a detailed audit and tracking of all components used in our software.
Dependency Management:
Address all Dependabot alerts, prioritizing fixes from critical to high and then medium, ensuring all dependencies are up-to-date and secure.
Code Quality Assurance:
Resolve all CodeQL alerts, either by fixing the issues directly or dismissing them as false positives after thorough evaluation.
OWASP Compliance Check:
Conduct a comprehensive check for common OWASP vulnerabilities, particularly SQL Injection. Transition to using SQL parameters to prevent such risks.
Utilize GitHub Copilot to assist in identifying and resolving these security issues effectively.
Challenge Tasks:
[ ] Turn on GHAS and activate all its features.
[ ] Generate a SBOM, rename it to 'sbom.json', place it in a 'sbom' folder in the root, and commit it to the main branch.
[ ] Tackle Dependabot alerts, starting with the most severe.
[ ] Address all CodeQL alerts appropriately.
[ ] Check and fix any OWASP top 10 vulnerabilities, especially those related to SQL practices.
"Security is not a product, but a process." - Bruce Schneier
Challenge 4: Enhancing System Security in Response to Industry Breach
As the CISO of Globoticket, I want to implement rigorous security practices to ensure our systems are fortified against vulnerabilities similar to those that led to a competitor's significant data breach. This proactive approach will help maintain customer trust and ensure the security of sensitive information. To overcome this, we have purchased the tool GitHub Advanced Security to help addressing these issues.
Why:
Acceptance Criteria:
Security Tool Activation:
Software Bill of Materials (SBOM):
Dependency Management:
Code Quality Assurance:
OWASP Compliance Check:
Challenge Tasks:
"Security is not a product, but a process." - Bruce Schneier