-
Notifications
You must be signed in to change notification settings - Fork 57
Security Event Review Checklist
Security events will be reviewed every Wednesday. Make github issues for each problem identified. For any incidents that happen regarding accounts, notify the FEC CISO, Wenchun Jiang, and follow the 18F incident response handbook.
The development team will have a rotation of log duty. Scheduling people for their rotation will be managed by the system owner during sprint planning.
Checklist:
- If reviewing during week 2 of a sprint, create github issues for next sprint and tag them with the proper milestone.
- Review Snyk for all repositories and:
- Open a ticket for all alerts, including a due date (15 days for critical, 30 days for high, 60 days for medium, and 90 days for low).
Example title:
[Snyk: Med] Open Redirect (Due 10/8/18)
- Make sure open alerts are tagged with a milestone/sprint that is scheduled to be deployed before the due date.
- Notify PM's in #product-management channel in Slack if open alerts are getting close to their deadline
- Review production logs for account creations, ensure these were approved in a ticket, and verify that the number of service keys in cloud.gov is unchanged.
- Review production logs for account permission elevations, ensure these were approved in a ticket
- Review actionable security events on production logs for successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, system events, all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes.
- Deactivate any accounts for people who have left the team.
- Note any findings in the Security Event Review issue.
- Close the Security Event Review issue.
See all Security Event Review issues here
SNYK DASHBOARD: https://snyk.io/org/fecgov/projects
- FEC-CMS: package.json and requirements.txt
- OPENFEC package.json, requirements.txt, and flyway
- FEC-EREGS package.json and requirements.txt
- FEC-PATTERN-LIBRARY package.json
Note: On fec-eregs
repo, regulations-parser.txt
is mainly used on local environment to parse regulations once every year. At this time we are not fixing any vulnerabilities found in regulations-parser.txt
. We just monitor and record them during weekly log review process.
If you haven't done so yet, you can also sign up for a free open-source account with Snyk and make a specialized dashboard and get security alerts mailed to you.
Compare account creation to account approvals
Look for account creations and other security events
in Kibana. Search for User change
event in the logs.
For example: CMS accounts created or edited in the past 14 days
Check or via dashboard click on our organization name and select the users section. Users need to be out of all spaces before you can use the dashboard tool to remove them as org users.
Note that deployer accounts have long, random strings for their names.