Closed lindsayplatt closed 5 years ago
mhines-usgs
commented
5 years ago Just got an email from CHS announcing a new service availability - not sure if we would want to try it or even if we could yet, but sharing... here is the link to more info: https://support.chs.usgs.gov/x/ZwJyAQ
tworr
commented
5 years ago Amazon Inspector looks like it's geared more towards auditing apps running on an EC2 instance vs. scanning a static site on S3. I'm waiting on confirmation whether we can use the normal Acunetix scan request method for sites on AWS or if there is a separate procedure for AWS.
lindsayplatt
commented
5 years ago Moving to 🚫 since you are waiting to hear back about something.
lindsayplatt
commented
5 years ago Any news on this @tworr?
tworr
commented
5 years ago I have identified the scan workflow but won't initiate the scan until other higher-priority items are complete.
lindsayplatt
commented
5 years ago Excellent. Do you have thoughts on when we should do this? By end of FY19?
tworr
commented
5 years ago I intend to do it as soon as I finish the other items I'm active on. It will be good to get an initial baseline of where we're at, although the only issues I would expect would be out-of-date js libraries which would be easy to address.
lindsayplatt
commented
5 years ago I'm going to say that this issue covers "initiation" and we can make follow-up issues after the fact. This sounds like it would make sense to prioritize before the end of FY19.
tworr
commented
5 years ago Oh yeah, definitely before the end of the FY so we can see if there are any major surprises. I was just putting it off for a week or two while I finish the vue deploy and browser testing issues.
tworr
commented
5 years ago Note: Acunetix scanning is initiated using the normal ITSOT scan request form.
lindsayplatt
commented
5 years ago Sounds like the group would like us to push forward with this. If we are having any issues getting this done with OEI, Boyce says to contact him.
tworr
commented
5 years ago Security team is having licensing issues with Acunetix so they ran a Nessus scan instead, which found nothing. There is a slight change Acunetix might find something Nessus didn't, but this indicates there are no major problems that would hold up final deployment.
When we finally deploy this to the public we do need to ensure that the public bucket uses HTTPS and sets an HSTS header (see https://https.cio.gov/hsts/).
In the mean time I can run Nessus scans on a local copy of the site as necessary.
abriggs-usgs
commented
5 years ago The Cloudfront URLS are all HTTPS, not sure about the HSTS header. Seems like something CHS would handle.
tworr
commented
5 years ago Just received another message from the security team - the original Nessus scan actually failed. I now have a working scan report to review. On first inspection there don't appear to be any major issues. I will continue to review the scan and I will make changes to the app as needed to address vulnerabilities.
We know that in order for us to have this running in the cloud on prod, we have to pass a CHS vulnerability scan. We would like to start scanning during development so that we can catch issues as we go. We first need to figure out what the process is for running such a scan. Start by talking with Shawn/Ivan to scan our S3 test bucket.
Goals: