Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools

Trace:
wiki:policies:dev

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
wiki:policies:dev [2022/06/24 23:08]
kholub 		wiki:policies:dev [2024/01/25 23:02] (current)
katcow
Line 33: Line 33:
 === Supplier Adherence to SDLC === === Supplier Adherence to SDLC ===
  
-Nested Knowledge employees develop all application code. External platforms (e.g. AWS) may provide architecture, orchestrate deployment of, and execute application code. External libraries (e.g. OSS) are consumed by application code as modules. External platforms and libraries are verified with the following:+Nested Knowledge employees develop all application code. External platforms (e.g. AWS) may provide architecture, orchestrate deployment of, and execute application code. External libraries (e.g. OSS) are consumed by application code as modules. External providers offer data to code, most typically in the form of an API. External platforms, providers, and libraries are verified with the following:
  
   * A review of technical documentation   * A review of technical documentation
Line 43: Line 43:
         * Automate scanning for existing vulnerabilites using NPM vulnerability scanning, the pypi Safety DB, and GitHub vulnerability monitoring.         * Automate scanning for existing vulnerabilites using NPM vulnerability scanning, the pypi Safety DB, and GitHub vulnerability monitoring.
       * Does the supplier actively maintain the solution?       * Does the supplier actively maintain the solution?
-      * Does the supplier follow a standardized release versionig system? (e.g. SemVer)+      * Does the supplier follow a standardized release versioning system? (e.g. SemVer)
         * Are there reports of major version changes that weren't reported as such?         * Are there reports of major version changes that weren't reported as such?
   * Does the solution include a public issue tracker?   * Does the solution include a public issue tracker?
       * Are issues (bugs & security vulnerabilities) addressed quickly?       * Are issues (bugs & security vulnerabilities) addressed quickly?
 +  * Does the solution have a policy and/or history of disclosing vulnerabilities and breaches?
   * When available, code & version history review.   * When available, code & version history review.
       * Do all commits to the repository leave it in deployable condition?       * Do all commits to the repository leave it in deployable condition?
Line 75: Line 76:
 ====== System Design and Architecture ====== ====== System Design and Architecture ======
  
-The Nested Knowledge client application is served by an application server and hydrated by an API server; both of these servers run behind a load balancer. The API server communicates with the Search and ML backend services as well as the database. Certain functions of backend services communicate with external (public) APIs. The frontend servers, services, and database all run in a Vitrual Private Cloud (VPC) for network isolation. The frontend load balancers are exposed to receieve requests from the public internet. The client and server applications communicate with an external service, Auth0, for authentication; all communications with Auth0 are encrypted.+The Nested Knowledge client application is served by an application server and hydrated by an API server; both of these servers run behind a load balancer. The API server communicates with the Search and ML backend services as well as the database. Certain functions of backend services communicate with external (public) APIs. The frontend servers, services, and database all run in a Virtual Private Cloud (VPC) for network isolation. The frontend load balancers are exposed to receive requests from the public internet and are protected with a WAF using AWS's Core Ruleset. The client and server applications communicate with an external service, Auth0, for authentication; all communications with Auth0 are encrypted.
  
-{{  :wiki:policies:figure1-nkarchitecture1.png?nolink&600x400  }}+{{:wiki:policies:nk_architecture_updated.png?600}}
  
 ===== Security Requirements ===== ===== Security Requirements =====
  
-All application data are stored and processed inside the VPC. Data leaving the VPC are either encrypted to the authenticated & authorized client, or, in the case of external providers contain minimal & nonsensitive information (e.g. DOIs for unpaywall, search strings for PubMed). Within the VPC, communications between the database and all services are encrypted.+==== General ====
  
-Nested Knowledge does not manage user passwords or other authorization (handled by [[https://auth0.com/|Auth0]]).+All application data are stored and processed inside the VPC. Data leaving the VPC are either encrypted to the authenticated & authorized client, or, in the case of external providers contain minimal & nonsensitive information (e.g. DOIs for unpaywall, search strings for PubMed). HTTP traffic is served over HTTPS (redirect required); email traffic (through AWS SES) is encrypted from application to sender (TSL), and sender to receiver (TSL). Within the VPC, communications between the database and all services are encrypted. 
 + 
 +==== Authentication ==== 
 + 
 +Nested Knowledge does not manage user passwords or authentication (handled by [[https://auth0.com/|Auth0]] and Auth0 Lock). All communications with Auth0 from the client are encrypted (TSL), ensuring passwords are not communicated in plain text. Passwords stored by Auth0 are similarly salted & encrypted (bcrypt). Communications relayed by the client are similarly encrypted & RSA signed.
  
 ====== Software Applications on NK-Owned Devices ====== ====== Software Applications on NK-Owned Devices ======
  
 Our [[https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:disaster#application_profile|application profile]] in the Business Continuity Plan describes the criticality of software applications used by Nested Knowledge employees on employee-owned devices. Our [[https://wiki.nested-knowledge.com/doku.php?id=wiki:policies:disaster#application_profile|application profile]] in the Business Continuity Plan describes the criticality of software applications used by Nested Knowledge employees on employee-owned devices.
- 
-At this time, Nested Knowledge does not issue personal computers or mobile devices to employees or contractors. 
  
 ====== Vulnerability and Patch Management ====== ====== Vulnerability and Patch Management ======
Line 95: Line 98:
 Nested Knowledge uses automated scanning to identify potential vulnerabilities in our operating environment and software dependencies. The risk of a vulnerability is assessed using the [[https://nvd.nist.gov/vuln-metrics/cvss|CVSS framework]]. Nested Knowledge uses automated scanning to identify potential vulnerabilities in our operating environment and software dependencies. The risk of a vulnerability is assessed using the [[https://nvd.nist.gov/vuln-metrics/cvss|CVSS framework]].
  
-Our cloud services provider (AWS) provides automated vulnerability reports on operating systems & databases running the application. Alerts derived from these reports are addressed by release engineers:+Our cloud services provider (AWS) provides automated vulnerability reports on operating systems & databases running the application. Application vulnerability scanning is performed by SecurityScorecard on an ongoing basis. Alerts derived from these reports are addressed by release engineers:
  
-  * The applicability & risk of the vulnerability is verified. If a vulnerability is deemed nonapplicable or low severity, it is added to our issue tracker. If applicable or medium or high severity, the vulnerability is assigned to an engineer immediately.+  * The applicability & risk of the vulnerability is verified and added to our issue tracker. If a vulnerability is deemed nonapplicable or low severity, it is prioritized amongst other development initiatives. If medium or high severity, the vulnerability is given highest priority, to be addressed by an engineer with next availability.
   * The viability of the recommended patch is assessed.   * The viability of the recommended patch is assessed.
       * Bug fix / minor version patches may be applied with minimal testing.       * Bug fix / minor version patches may be applied with minimal testing.
Line 103: Line 106:
   * The patch is applied during the next scheduled release window. If a vulnerability is deemed high severity, it triggers an immediate release upon review completion.   * The patch is applied during the next scheduled release window. If a vulnerability is deemed high severity, it triggers an immediate release upon review completion.
  
-Our dependency management tools (NPM pip) provide automated vulnerability scanning. Every build in our development environment produces a vulnerability report among dependencies. Alerts derived from these reports are addressed by developers.+Our dependency management tools (NPMpip, apt-get) provide automated vulnerability reporting & patch alerts. Every build in our development environment produces a vulnerability report among dependencies. Alerts derived from these reports are addressed by developers.
  
   * The applicability & risk of the vulnerability is verified. If a vulnerability is deemed nonapplicable or low severity, it is added to our issue tracker. If applicable or medium or high severity, the vulnerability is assigned to an engineer immediately.   * The applicability & risk of the vulnerability is verified. If a vulnerability is deemed nonapplicable or low severity, it is added to our issue tracker. If applicable or medium or high severity, the vulnerability is assigned to an engineer immediately.
Line 110: Line 113:
         * Contribute an upstream patch, for open source dependencies.         * Contribute an upstream patch, for open source dependencies.
         * Mitigate code paths triggering the vulnerability and begin researching alternative dependencies.         * Mitigate code paths triggering the vulnerability and begin researching alternative dependencies.
 +        * Replace or remove the dependency, with application code changes
   * The dependency and/or code change is deployed during the next scheduled release window. If a vulnerability is deemed high severity, it triggers an immediate release upon review completion.   * The dependency and/or code change is deployed during the next scheduled release window. If a vulnerability is deemed high severity, it triggers an immediate release upon review completion.
  
 === Revision History === === Revision History ===
  
-This policy will be reviewed on an annual basis. The next review will be completed by November 30, 2022.+This policy will be updated at least on an annual basis or when a signficant change occurs.
  
 ^Author^Date of Revision/Review^Comments/Description| ^Author^Date of Revision/Review^Comments/Description|
-|K. Cowie|12/17/2021|Minor Revisions to Secure Development Policy+|K. Cowie|01/24/2023|Reviewed
-|K. Holub|06/24/2022|Updated secure development environment standard|+|K. Holub|03/30/2023|Updating vulnerability scanning to include SecurityScorecard|
 |K. Kallmes|11/19/2021|Draft approved| |K. Kallmes|11/19/2021|Draft approved|
 +|P. Olaniran|9/22/2022|Minor Revisions|
  
 [[:wiki:policies|Return to Policies]] [[:wiki:policies|Return to Policies]]
  
  
wiki/policies/dev.1656112084.txt.gz · Last modified: 2022/06/24 23:08 by kholub

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki