flexion / flexion-sig-security Goto Github PK
View Code? Open in Web Editor NEWA collection of notes, research, proof of concept code, and issue tracking for various Flexion security initiatives.
A collection of notes, research, proof of concept code, and issue tracking for various Flexion security initiatives.
Following up #16, discuss potential inclusion of grype
and syft
into recommended CI/CD tooling.
References:
As a Flexion engineer, to indulge my curiosity and desire to spend more time listening to the cool security-minded folk, I want some way to have other members of the SIG request access on behalf of newcomers so they do not have to wait for @tohch4 or other busy individuals.
As a Flexion staff member, in order to benefits from experiences and interests of my peers, I would like to begin a 5-minute lightning talk series for guild meetings. I would like a way to see past talks, and upvote potential future talks.
As a Flexion engineer, in order to be confident in the sanity and safety of my build artifacts and related data, I would like guidance on how to properly configure SaaS CI/CD platforms, including, but not exclusively limited to:
@csykora-flexion has volunteered to present on his experimentation with Lyft's cloud account and graph database tooling, cartography.
As a Flexion engineer, to have a stronger degree of confidence in infrastructure changes executed by Infrastructure as Code tools like CloudFormation, Terraform, et cetera, I would like Flexion Security SIG to review and recommend approaches and tooling to analyze the security impact of creation, modification, and deletion of infrastructure with these tools.
Hypothesis: Flexion teams would benefit from a written Vulnerability Management Plan to out like the vulnerability management policy for each team and the standard operating procedure for dealing with findings from each type of security scanner in use by the team.
As a QPP engineer, in order to collaborate with teams across boundaries of customers and their projects, I would like a Flexion Security Knowledge base be created for common approaches to security design, practice, and implementation. That why I do not have to rediscover it myself!
As a Flexion security engineer, to be define better application security standards regardless of customer site, I want guidance to explain that developers ought to use properly configured cookies, not LocalStorage or SessionStorage, to save sensitive session data in the claims of a JWT.
As a Flexioneer, in order to best understand techniques for assessing my project's security posture, I want to know how to create a new, minimal threat model, using the Flexion threat model template(s), understanding the terminology and how to complete it accurately.
(Thanks to @csykora-flexion for asking questions about the threat model template he is using for one project and convincing me to solicit the guild for feedback about this.)
As a Flexion engineer, to increase my confidence in safely collaborating with other contributors, I want guidance on specific tools and techniques security engineers use to examine a source code repository for erroneously-committed application secrets.
As a Flexion security engineer, in order to assist new employees, we should provide some quick summary information on recommended configuration of Flexion workstations to make following company policy easier and more consistent.
As a Flexion employee, to clarify ambiguity in and help prioritize overall security efforts for my project (new or ongoing), I would like a playbook to help me level set, start new security efforts, enhance important ones, and stop bad security practices.
Back-dating a GitHub issue for my talk today, as I got too busy to make it in advance! ๐
As a Flexion security engineer, to more specifically implement each play in the playbook, I would like to extend the playbook (from #3) for each play to have a checklist of recommended, actionable objectives, like 18F's playbooks, such as this one.
@csykora-flexion has volunteered to present on his experimentation with using AWS CDK to generate roles without excessive privileges.
@nlandais has volunteered to present the guild during the week of October 18th about his successful experimentation with using GitHub Actions OIDC and GCP Workload Identity Providers. With this method, he generates short-lived tokens, authenticate Infrastructure-as-Code jobs using GitHub Actions, all without storing hard-coded IAM keys in GitHub Actions Secrets.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.