flexion / flexion-sig-security Goto Github PK

Following up #16, discuss potential inclusion of grype and syft into recommended CI/CD tooling.

References:

• GitHub Action for grype
• GitHub Action for syft

As a Flexion engineer, to indulge my curiosity and desire to spend more time listening to the cool security-minded folk, I want some way to have other members of the SIG request access on behalf of newcomers so they do not have to wait for @tohch4 or other busy individuals.

As a Flexion staff member, in order to benefits from experiences and interests of my peers, I would like to begin a 5-minute lightning talk series for guild meetings. I would like a way to see past talks, and upvote potential future talks.

As a Flexion engineer, in order to be confident in the sanity and safety of my build artifacts and related data, I would like guidance on how to properly configure SaaS CI/CD platforms, including, but not exclusively limited to:

• Github Actions
• CircleCI
• Travis

@csykora-flexion has volunteered to present on his experimentation with Lyft's cloud account and graph database tooling, cartography.

As a Flexion engineer, to have a stronger degree of confidence in infrastructure changes executed by Infrastructure as Code tools like CloudFormation, Terraform, et cetera, I would like Flexion Security SIG to review and recommend approaches and tooling to analyze the security impact of creation, modification, and deletion of infrastructure with these tools.

See the Slack thread that surfaced this issue.

Hypothesis: Flexion teams would benefit from a written Vulnerability Management Plan to out like the vulnerability management policy for each team and the standard operating procedure for dealing with findings from each type of security scanner in use by the team.

• Vulnerability Management Plan Template The intent of this template is to provide a skeleton for a vulnerability management plan for your program. Adopt a VMP to provide basic structure around your response to vulnerabilities detected in your system. Please adapt this to your situation.
• Vulnerability Management Cycle
• Proactive Security Analysis Percent metric

As a QPP engineer, in order to collaborate with teams across boundaries of customers and their projects, I would like a Flexion Security Knowledge base be created for common approaches to security design, practice, and implementation. That why I do not have to rediscover it myself!

As a Flexion security engineer, to be define better application security standards regardless of customer site, I want guidance to explain that developers ought to use properly configured cookies, not LocalStorage or SessionStorage, to save sensitive session data in the claims of a JWT.

As a Flexioneer, in order to best understand techniques for assessing my project's security posture, I want to know how to create a new, minimal threat model, using the Flexion threat model template(s), understanding the terminology and how to complete it accurately.

(Thanks to @csykora-flexion for asking questions about the threat model template he is using for one project and convincing me to solicit the guild for feedback about this.)

As a Flexion engineer, to increase my confidence in safely collaborating with other contributors, I want guidance on specific tools and techniques security engineers use to examine a source code repository for erroneously-committed application secrets.

As a Flexion security engineer, in order to assist new employees, we should provide some quick summary information on recommended configuration of Flexion workstations to make following company policy easier and more consistent.

As a Flexion employee, to clarify ambiguity in and help prioritize overall security efforts for my project (new or ongoing), I would like a playbook to help me level set, start new security efforts, enhance important ones, and stop bad security practices.

Back-dating a GitHub issue for my talk today, as I got too busy to make it in advance! 😆

As a Flexion security engineer, to more specifically implement each play in the playbook, I would like to extend the playbook (from #3) for each play to have a checklist of recommended, actionable objectives, like 18F's playbooks, such as this one.

@csykora-flexion has volunteered to present on his experimentation with using AWS CDK to generate roles without excessive privileges.

@nlandais has volunteered to present the guild during the week of October 18th about his successful experimentation with using GitHub Actions OIDC and GCP Workload Identity Providers. With this method, he generates short-lived tokens, authenticate Infrastructure-as-Code jobs using GitHub Actions, all without storing hard-coded IAM keys in GitHub Actions Secrets.