-
Notifications
You must be signed in to change notification settings - Fork 7
Security Processes and Procedures
On at least a weekly basis, check the production CircleCI daily scan job to view the OWASP report.
Click:
- daily_scan / dynamic_security_scan
- Artifacts
- reports/owasp_report.html
Baseline of all known and accepted findings: https://2566-277889613-gh.circle-artifacts.com/0/reports/owasp_report.html
Update the baseline report link each time it is checked, as they do eventually get deleted from CircleCI
Audit logs shall be manually reviewed on a weekly basis using the audit log review saved filters on https://logs.fr.cloud.gov/app/home
Infrastructure events shall be manually reviewed on a weekly basis using the events log
On a weekly basis, run terraform plan
and verify that there is no drift in the terraform configuration.
On a weekly basis, run cf network-policies
and verify that they are in agreement with terraform baseline.
See the access control SOP for user account review steps.
On a weekly basis, run terraform plan
and verify that there is no drift in the terraform configuration.
On a weekly basis, run cf network-policies
and verify that they are in agreement with terraform baseline.
On a monthly basis, cloud.gov accounts and service keys across all spaces shall be reviewed. Any accounts that weren't properly removed during user off-boarding shall then be removed.