SophiaPhilipMO
commented
7 months ago Order of operations VASI eMASS PTA System Categorization POAM - this is an output from SDElements, we have to come up with contingency plans to address anything that we can not cover in the SDElements WASA
Start WASA
https://sde.lighthouse.va.gov/bunits/va/in-person-identity-proofing/in-person-identity-proofing-first-project/tasks/phase/activities/27-CT2/how-tos
External Assessment Services (EAS) supports product development teams for WASA Web Application Security Testing provides a combination of 90% manual testing and 10% automated testing. A 30 day notice is required for all Web Application Testing. After the questionnaire is fully filled out, submitted and approved, the app goes into our queue for testing. Once the app is assigned to one of our testers it could take up to 5 business days to complete. This is based on the size of the application. After testing is completed, a report will be sent out. Once the findings have been remediated a retest can be requested. How to get started
CI8: Common WASA Form Responsesless...Helpful field definitions eMASS Instance - Your systems eMASS ID eMASS System Name - Represents the name you have identified for your system in eMASS (ideally this should match what you provided for a Product Name when onboarding to SecRel) Is this a high value asset or FISMA high application - This represents your system categorization rating Admin section url address - If your product has administrative functionality for specific user types, you should provide those specific url endpoints Will the production application be on the internet or will it only be an internal application - Is your product externally facing or only leveraged on VA intranet MOU attachment? - Does your system have any Memorandum of Understandings that describe agreements between your system and another that the EAS team should be aware of.
Suggested responses for specific fields The following is being provided as suggested responses due to the typical profile of apps on the LHDI Platform. You should always consider whether these suggested responses are accurate for your applications context. Question 1.5 - No (This comes from your System Categorization task; most systems are FISMA Low or Moderate) Question 1.6 - unknown Question 1.7 - unknown Question 1.8 - v1.0.0 if you are working towards launching your MVP to production, or the current version of your product Question 1.10 - n/a Question 1.12 - n/a Question 1.14 - n/a Question 1.21 - n/a Question 1.24 - No Question 1.25 - ATO Question 1.26 - V21-05368-000 Question 1.27 - n/a (unless you are performing this WASA in conjunction with an ESECC request) Question 1.28 - n/a Question 1.30 - No Question 1.31 - n/a Question 1.32 - n/a this app resides with VAEC boundary which is a private cloud server Question 1.33 - Dept. of Veterans Affairs (replace if this app belongs to a different agency) Question 1.34 - No specific physical location since this app is leveraging VAEC Question 1.35 - No, we perform SAST and SCA scans with Snyk or Github CodeQL. All security scan data goes to our Github Repository's Security Center. Question 1.36 - n/a (unless your application leverages domain/username for authorization and authentication) Question 1.37 - unless your team has a different ISO, this should be andrew.fichter@va.gov Question 2.1 - Yes Question 2.2 - No Question 2.3 - List your Github Repositories that align with your system (i.e. that aligns with the eMASS ID you used in this form) Question 5.4 - Name = Kurt Delbene; Phone = 202-461-6910; Email = kurt.delbene@va.gov Question 6.6 - n/a Question 6.7 - n/a Question 6.15 - unless your application has these resources, leave blank