libdgg
commented
3 years ago I contacted Elliot today (12/8/2020) to confirm and inquire about completion status or next steps.
Closed libdgg closed 3 years ago
libdgg
commented
3 years ago I contacted Elliot today (12/8/2020) to confirm and inquire about completion status or next steps.
libdgg
commented
3 years ago I had Elliot run a security scan on our test instance first. I sent this request to Elliot 12/10/2020 and he completed it this afternoon. "All the findings are low severity and relate to security headers and cookie policy. If you'd like to fix those, great, and if not it's not a big deal."
A copy of the report is here: https://emory.app.box.com/file/751996986654
libdgg
commented
3 years ago @SolomonHD and @rotated8 Since Elliot ran the scan in our avalon test instance, can you all tell if anything went wrong with performance or did the test add any garbage to the back-end or other issues?
libdgg
commented
3 years ago @SolomonHD will check for any garbage or issues in the back-end @devanshu-m will review the report for any next steps related to headers NOTE: plan on running the scan on the prod instance based on what we find out about the above items.
devanshu-m
commented
3 years ago I will create a new ticket for header recommendations and put it in new issues.
libdgg
commented
3 years ago @SolomonHD please confirm if any garbage or issues were added to the back-end of the test instance of avalon (or if they were not) by adding a comment on this ticket in zenhub. Thanks -DG
libdgg
commented
3 years ago DG will ask Elliot to run scan on prod and let James and Nina know.
libdgg
commented
3 years ago Elliot ran the scan on 1/19/2021 and reports that the only issues it found were related to missing optional security-related HTTP headers and loose cookie security settings.
copies of the scan results are here: https://emory.app.box.com/folder/130051272570
libdgg
commented
3 years ago @rotated @SolomonHD @mprefer please see the scan results linked above and let me know if this is ok to close (acceptable risks) or if there are things we need to address at this time.
rotated8
commented
3 years ago I am happy to accept the risks as is. +1 for closing.
libdgg
commented
3 years ago Solomon responded in slack "It looks like the remaining issues are low in risk, If Elliot is not complaining about them then I think they're fine."
libdgg
commented
3 years ago Mark will review today and let DG know if risks are acceptable.
libdgg
commented
3 years ago Mark responded in slack "I looked and everything is either informational or low. I don't think the lows are significant, unless Eliot thinks otherwise. I'll look at it and see what headers we can add, but since they are low, not going to dash."
libdgg
commented
3 years ago Closing this ticket as the risks are low and Elliot and the team are not identifying any immediate actions to take.
The team thinks this may have already been done (also because of the security concern with the x-frame headers). We can plan on confirming if this has already been done.