Closed libdgg closed 3 years ago
I contacted Elliot today (12/8/2020) to confirm and inquire about completion status or next steps.
I had Elliot run a security scan on our test instance first. I sent this request to Elliot 12/10/2020 and he completed it this afternoon. "All the findings are low severity and relate to security headers and cookie policy. If you'd like to fix those, great, and if not it's not a big deal."
A copy of the report is here: https://emory.app.box.com/file/751996986654
@SolomonHD and @rotated8 Since Elliot ran the scan in our avalon test instance, can you all tell if anything went wrong with performance or did the test add any garbage to the back-end or other issues?
@SolomonHD will check for any garbage or issues in the back-end @devanshu-m will review the report for any next steps related to headers NOTE: plan on running the scan on the prod instance based on what we find out about the above items.
I will create a new ticket for header recommendations and put it in new issues.
@SolomonHD please confirm if any garbage or issues were added to the back-end of the test instance of avalon (or if they were not) by adding a comment on this ticket in zenhub. Thanks -DG
DG will ask Elliot to run scan on prod and let James and Nina know.
Elliot ran the scan on 1/19/2021 and reports that the only issues it found were related to missing optional security-related HTTP headers and loose cookie security settings.
copies of the scan results are here: https://emory.app.box.com/folder/130051272570
@rotated @SolomonHD @mprefer please see the scan results linked above and let me know if this is ok to close (acceptable risks) or if there are things we need to address at this time.
I am happy to accept the risks as is. +1 for closing.
Solomon responded in slack "It looks like the remaining issues are low in risk, If Elliot is not complaining about them then I think they're fine."
Mark will review today and let DG know if risks are acceptable.
Mark responded in slack "I looked and everything is either informational or low. I don't think the lows are significant, unless Eliot thinks otherwise. I'll look at it and see what headers we can add, but since they are low, not going to dash."
Closing this ticket as the risks are low and Elliot and the team are not identifying any immediate actions to take.
The team thinks this may have already been done (also because of the security concern with the x-frame headers). We can plan on confirming if this has already been done.