Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-903

Findings from the Threat Model Source-to-image (S2I) Builder Image 1.3.8

XMLWordPrintable

      Story (Required)

      As a Security Architect trying to complete the Threat Model RH-SDL control I want all findings from the Thread Model inside the SDElements tool to be corrected.

      Background (Required)

      In order for a product to go GA at Red Hat, it needs to have performed the RH-SDL process. One of the items inside RH-SDL is Threat Modeling. As part of the Threat Model, weaknesses and countermeasures have been found for S2I and these need to be addressed, in order for the product to go GA.

      Out of scope

      n/a

      Approach (Required)

      All findings, which are added here as sub-tasks to this story, have to have a due date and an assignee. Countermeasures have to be implemented before the due date.

      Dependencies

      n/a

      Acceptance Criteria (Mandatory)

      • Step 1: All findings have a due date and an assignee
      • Step 2: All findings have their countermeasures implemented

      INVEST Checklist

      n/a

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

          1.
          		 T186: Use recommended settings and the latest patches for third party libraries and software Sub-task Closed Major Divyanshu Agrawal
          2.
          		 T1365: Mitigate Server Side Request Forgery Sub-task Closed Normal Divyanshu Agrawal
          3.
          		 T15: Centralize authorization Sub-task Closed Normal Gaurav Kamathe
          4.
          		 T59: Use standard libraries for cryptography Sub-task Closed Normal Gaurav Kamathe
          5.
          		 T2129: Exercise security best practices for access management in microservices Sub-task Closed Normal Gaurav Kamathe
          6.
          		 T1917: Perform container security assessment Sub-task Closed Major Gaurav Kamathe
          7.
          		 T43: Avoid unsafe operating system interaction Sub-task Closed Major Divyanshu Agrawal
          8.
          		 T214: Protect confidential files on operating system or server Sub-task Closed Normal Divyanshu Agrawal
          9.
          		 T2126: Exercise security strategies for preventing credential abuse and stuffing attacks Sub-task Closed Normal Gaurav Kamathe
          10.
          		 T60: Use correct and approved cryptographic algorithms, parameters, and key lengths Sub-task Closed Normal Gaurav Kamathe
          11.
          		 T21: Ensure all data in transit is encrypted using a secure TLS channel Sub-task Closed Normal Divyanshu Agrawal
          12.
          		 T61: Disable default accounts or change all default passwords Sub-task Closed Normal Gaurav Kamathe
          13.
          		 T2130: Exercise best practices for securing microservices communication Sub-task Closed Normal Divyanshu Agrawal
          14.
          		 T248: Protect secret keys and passwords in the application Sub-task Closed Normal Divyanshu Agrawal
          15.
          		 T279: Avoid dynamically loading any code without proper security considerations Sub-task Closed Normal Divyanshu Agrawal

              diagrawa Divyanshu Agrawal
              gkamathe@redhat.com Gaurav Kamathe
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: