Comments (10)
So one thing I'm working on is a HelloWorld-type app that demonstrates a complete SSP built up from various components.
Fantastic! 18F/compliance-toolkit#12 is a good place to start.
The schema and tooling are great, but there are gaps more than a few areas of confusion. Before I dive in too deep on the schema or the Go code I should probably find out more where y'all are heading
Heh, yeah, you have every right to be confused. For context, we were building Masonry as a way to supplement cloud.gov, with the hope that it would be applicable more broadly. Masonry hasn't had a dedicated team in a month(?) or so, so the only work has been around getting what we need it to do for the cloud.gov FedRAMP process. This is why the information is a bit disorganized, and why the work has seemed to happen in fits and starts. We haven't really decided how much time 18F can dedicate to it in the near future—will bring that up with the team.
Some of the BDD examples are interesting, and I'd like to build on that
@geramirez @jcscottiii and @mogul can speak to this better than I can, but it seems that the BDD functionality is something we experimented with, but never fully fleshed out. My personal feeling is that we should put a disclaimer on that feature for now—or take it out altogether—while we get the usage for documentation stabilized.
I'm also interested in how, potentially, Nessus scans are created and run as part of a pipeline.
Anyone else have advice here?
Are there any sources of information I should be tracking besides the repos and issues for opencontrol/compliance-masonry and opencontrol/schemas?
I'd subscribe to all of the repositories in OpenControl, but other than that, relevant work is happening in:
I see that identity-idp has security committed in-place
What are you referring to specifically? Have a link?
from discuss.
it seems that the BDD functionality is something we experimented with, but never fully fleshed out. My personal feeling is that we should put a disclaimer on that feature for now—or take it out altogether—while we get the usage for documentation stabilized.
As far as I know the functionality is fine... The problem is that we haven't had time to actually supply specific BDD content for all of the assertions we're making in cg-compliance
and the repos it depends on. I view that as tech debt on the part of that compliance material, not any sort of knock on the state of the functionality in compliance-masonry
.
I'm also interested in how, potentially, Nessus scans are created and run as part of a pipeline.
Anyone else have advice here?
At 18F, we're treating generation of the compliance-masonry
output as part of our continuous deployment pipeline. We expect instead to make that one of many steps in a "compliance toolkit" that constantly runs scans.
However, it could also be handled the inverse way... You can make BDD steps for the appropriate control sections that will run the Nessus scans! Then you basically generate the CM output, running the BDD along the way, and get a full result including note of the fact that the BDD tests passed as of the date the docs were generated. (Personally I prefer that concept, but it's not how compliance toolkit is set up to operate.)
from discuss.
I'd like to build on that with InSpec profiles that run against nodes or even the entire platform with inspec-aws
Personally, I would love to see an open source integration for using InSpec test/results to update OpenControl documentation.
Before I dive in too deep on the schema or the Go code I should probably find out more where y'all are heading
I entirely agree with @afeld. Also keep in mind that this project is moving in the direction of its user and contributors' needs. Many of the major changes that have been made to the OpenControl schema or compliance-masonry have been discussed openly. ie:
opencontrol/compliance-masonry#85
opencontrol/compliance-masonry#2
opencontrol/compliance-masonry#11
from discuss.
Speaking of Nessus -- it looks like generation of nessus scan configs is supposed to be part of example pipeline -- at https://github.com/opencontrol/example-pipelines/blob/master/pws-fedramp.yml#L34
uri: [email protected]:opencontrol/concourse-nessus-task.git
Is that a real repo and task? If so, how can I see it?
Thanks, Peter
from discuss.
Speaking of Nessus -- it looks like generation of nessus scan configs is supposed to be part of example pipeline... how can I see it?
Let's move to opencontrol/example-pipelines#3.
Just so you know, everything for cloud.gov except the secrets is in public repositories, so if a link is broken, it's only because we forgot to update it / are disorganized
from discuss.
I see that identity-idp has security committed in-place
What are you referring to specifically? Have a link?
Ah, found it!
https://github.com/18F/identity-idp/tree/master/docs/security
This is news to me
from discuss.
@afeld @mogul @geramirez Thanks for all the updates here. This has been really helpful! I'll close this as it seems we've covered the material in my original post. Cheers, Peter
from discuss.
Reopening for easier discoverability.
from discuss.
(Probably needs a better title if it's expected to be found.)
Reopening for easier discoverability.
from discuss.
Two year old discussion. Closing for inactivity. Feel free to reopen as appropriate!
from discuss.
Related Issues (20)
- introductions to security compliance? HOT 7
- OpenControl edit workflow for non-technical users? HOT 6
- Set of partials == complete? HOT 7
- Script to convert FedRAMP controls spreadsheet to opencontrols files HOT 2
- add new root repository: introduction - with examples HOT 1
- re-org of repositories with table of contents for all HOT 1
- Risk assessment schema: Extend to three question types and provide validation HOT 5
- Translation of RiskVision controls spreadsheet to opencontrol YAML HOT 4
- has anyone done textual analysis of SSPs, or tried automating feedback on them? HOT 15
- OpenControl template HOT 4
- public SSPs? HOT 9
- As someone who isn't able to sign up for accounts, I want to be able to follow / participate in OpenControl HOT 3
- Introduction to ATOs HOT 1
- Map Components to Multiple Certifications HOT 8
- listening for control changes HOT 5
- code for parsing SSPs? HOT 3
- FedRAMP Challenges HOT 6
- Starting OpenControl Virtual Meetings HOT 9
- OpenControl Agenda topics HOT 1
- Is OpenControl deprecated? HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from discuss.