Select tools to use to secure VANotify

[QaysarA]

The purpose of this spike would be to research and document any security concerns that must be addressed for VANotify prior to going into production

• [x] Consult with VA/VSP teams to understand and evaluate what tools are currently used for security/vulnerability scanning (Fortify, Sonar, Snyk, sastscan, hawkeye, bandit, dependabot, pyup, codeclimate, Twistlock)
  • Fortify - may need a licence, and what do we do with the uploaded results?
  • Sonar - nice github action, free for open source projects
  • Snyk - dependency scanning, nice github action, pricing unclear
  • Hawkeye - dependency scanning (out-of-date and vulnerabilities), security issues (using bandit)
  • Bandit - security issues scanning, installed as python dependency
  • Dependabot - dependency scanning and updates, build into github
  • PyUp - dependency scanning, can make PRs or run as a github check
  • CodeClimate - not really security, more of a code quality tool
  • Twistlock
• [x] Document options that need to be added - [ ] Do we need to add a Security policy, as recommended by github?
• [x] Discuss and document the results within our team
• [x] Create ADR
  • ADR 0005

Timebox - 3 Days

Security Toolbox Needs:

• Static code analysis
• Dependency checks
• Docker container vulnerability checks
• Scanning of committed Secrets
• Scanning for PII is out of scope for this story

Other guiding principles

• ease of implementation
• maintenance
• documentation
• potential learning curve
• for open source options: activity of maintainers, adoption rate

Notes:

• As a part of the implementation story (#104) and the subsequent stories that are added, the tools that we implement must be provided for documentation in the ATO

Assumption:

• Implementation of the options for remediation will be done in a different card (#104). One card will be created for each tool that we add.

[ffafara-tw]

Tools that might be of interest that are offered by DOTS (DevOps Tool Suite) team:

• Codacy
• code.scan
• Twistlock

[ffafara-tw]

Should ADR be part of this or implementation story?

[ffafara-tw]

Tooling used by VSP (thanks to Andrew Gunsch):

• Brakeman (scanning ruby dependency tree for known security vulns)
• plus being responsive to github security alerts in the repos
• static code analysis I think is mostly rubocop / eslint at this point

These are ruby specific and won't be applicable for our usecase.

[ffafara-tw]

Another tool to review: https://github.com/marketplace/actions/sast-scan

[ffafara-tw]

https://github.com/sonarsource/sonarcloud-github-action

[ffafara-tw]

https://lgtm.com/ It was bought by GitHub and seems well integrated with GitHub. Free for opensource.

[lingtran]

Matrix and recommendations documented in this spreadsheet

next: include resources from sw dev email thread and check out last week's town hall on security, also checkout infosec hub (do we want to share with infosec team?)

Summary of recommendations:

Bandit / Hawkeye

• Recommended: Yes
• Reasons: Meets our needs (minus image scanning), but no dashboard

lgtm

• Recommended: Yes
• Reasons: provides dashboard view that bandit/hawkeye don't provide, so it will be complimentary to them

Twistlock

• Recommended: Yes
• Reasons: meets all of our needs include image scanning and provides runtime monitoring already in VA ecosystem, used by DOTS

Snyk

• Recommended: It depends due to con
• Reasons:
  • big pros: can scan terraform and has github actions, and more or less free, other than need license for container scanning.
  • con: container scanning is a separate license. hawkeye/lgtm meets all our needs except for image scanning. if we are going to pay for this tool, we might as well go for Twistlock which also provides runtime monitoring.
• Next: need to do price comparisons with respect to twistlock/prisma cloud to determine if cost is justifiable

Codacy

• Recommended: It depends
• Reasons: Code quality checker, seems like a good tool if we want something like this

[lingtran]

After following up with team at dev sync this morning, took some follow-up actions and have these recommendations:

Recommend: Bandit / Hawkeye

• Meets our needs (minus image scanning), but no dashboard

Recommend: lgtm

• Provides dashboard view that bandit/hawkeye don't provide, so it will be complimentary to them. Also does code reviews.

Recommend: dependabot

• More actively maintained and now within the Github ecosystem, so easier integration. Also being used by other orgs like gov.uk, Mozilla, and PyPi. Has flexibility of adding reviewer to dependency update if necessary.

Recommend: Twistlock

• meets all of our needs include image scanning and provides runtime monitoring already in VA ecosystem, used by DOTS

[lingtran]

Noting a conversation has been scheduled with Sara Diaz from InfoSec for next week.