Skip to main content

4 posts tagged with "security"

View All Tags

Security Office Hour meeting minutes

Announcements

  • SAST:
    • Veracode - Offboarding: Last reminder, license terminates on 30-March-2024
    • CodeQL - Onboarding- Workflow Setup: TRG 8.01
  • DAST security scans are not part of the next release 24.05 (Updates will follow through the QG Acceptance Criteria)
  • KICS, Trivy, GitGuardian and Dependabot tools will continue as it is.

Security Office Hour meeting minutes

Announcements

  • SAST: CodeQL transition is ongoing, PRs to add corresponding workflows is ongoing. Veracode license will expire at the end of March, so everyone is encouraged to review their workflows to ensure a timely transition to CodeQL.
  • DAST: Invicti license will expire at the end of August and already exceeded the website limit. There will be no DAST tool required for the next Quality Gate.
  • Secret scanning
    • Gitguardian is currently set up, but Gitleaks is a potential successor.
    • Testing of Github secret scanning is still in progress.
  • TRG 8.0 has been published as a draft, adjustments as PR are warmly welcome.

Open Discussions

  • none

Security Office Hour meeting minutes

Announcements

  • Security team approvals for most projects in scope of release 24.03 have been completed.
  • Upcoming changes for release 24.05 will focus on FOSS security tools, including
    • switch from Veracode to CodeQL for SAST,
    • switch from Gitguardian to gitleaks for secrets scanning,
    • DAST will not be part of the upcoming TRG until further notice.
  • DAST was removed from TRG due to issues with authenticated scans and SARIF report as scanning alerts in repository security section.

Open Discussions

  • An overarching issue for tracking the tool shifts was discussed, as it is necessary for proper planning by teams.
    • Teams need to estimate efforts to adjust Github workflows
  • The PR for the new Security TRG was discussed, which includes a new requirement of remediation of findings with medium severity, but not for the 25.05 release.
    • Concerns were raised about the need for additional planned team resources for triaging these issues, and it was suggested that the TRG should be finalized and teams made aware.
  • What are best-practices for scheduling security tools Action workflows, with every PR or another frequency?
    • The TRG claims at least once, this is mandatory baseline for all.
    • Best practice is more frequently, recommendations differ per tool (e.g. secret scanning for every PR, dependency scan on a weekly basis).
    • The trigger will be on push + on pull + scheduled - frequency depends on repositories activity, so the team has to decide.
    • Best practice recommendations will be published in the sig-security repository.