Automatically enforce app security

[rianfowler]

Overview

• according to github, vets-website dependencies have several outstanding security issues
• there is no ongoing security monitoring or auditing in place for vets-website
• resolving security issues in dependencies is time consuming when using just the default tools (e.g. npm audit)

Goals

• Establish standards and process for managing security risks on vets-website

Potential tasks

• Review third party offerings
• Determine constraints for using SaaS products for code review
• Create a plan for running a few options through a trial
• Determine rollout plan

Security tools to evaluate

• snyk: https://snyk.io/product/
• Veracode
• https://www.dareboost.com/en/offers#ifbefs_nfov

[rianfowler]

@brandonrapp @gunsch @johnpaulashenfelter

I've tried resolving some of the security issues on vets-website but frankly, it's a tough road to upgrade some of our dependencies. I think we have more alerts than we can resolve with the people we have and I don't have a good measure of the risk these issues pose to the platform.

I'm also only considering security issues with dependencies in npm. I think there are probably other security risks that we are not managing (e.g. we don't audit or evaluate the way people use veteran data in apps) and I'm not sure what our compliance requirements are.

[billfienberg]

Some other automated code review tools:

• https://aws.amazon.com/codeguru/
• https://www.codacy.com/

[meganhkelley]

Closing in favor of #25896