department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
284 stars 206 forks source link

2024 Tool Audit: Discovery: Rails App #80133

Open jennb33 opened 7 months ago

jennb33 commented 7 months ago

Issue Description

As the Platform Product Team, We need a better inventory of our tools, versions and features that are used, So that we can better manage and report on what is used and how

Since the initial deployment of various tools and software in our stack back in 2018, there have been continuous development and upgrades in these technologies. However, a methodical review to leverage new feature sets introduced in subsequent releases has been lacking. This gap in our process has potentially led to missed opportunities for enhancing our systems' efficiency, security, and performance.

A prime example of this situation is Redis (ElastiCache), which despite being upgraded, may not fully utilize features introduced in newer versions such as Cluster mode - which would allow for high availability via automatic failover and replication. This scenario could very likely extend to other components of our stack, such as Postgres, among others. Additionally, the absence of historical documentation on decision-making processes further complicates our ability to assess historical decisions.

We are also being asked by @tayism for a 'cheat sheet' list of the tools, services, or processes your team owns or manages so that Oddball and AdHoc knows who to notify when pointed feedback comes in.

Examples include:

Please document all findings for the tool from the audit in this Google document

SBOM - software bill of materials?


Tasks

Success Metrics

Acceptance Criteria

LindseySaari commented 7 months ago

Ideas: Global rate limiting? Anything we can do to migrate existing code to use encrypted attributes Audit the manifests to ensure sensitive values are stored appropriately Review breakers config - is the 50% default threshold good for all services?