Security

Security Operations #

The following sections detail the different aspects of the security operations

Security Scanning #

The AppDat platform automatically performs security scanning of all applications deployed to an AppDat managed environment. Specifically, the AppDat platform performs container vulnerability scanning of all application containers daily.

CI/CD Pipeline Security Features #

As part of the AppDat “Auto DevOps (ADO)” CI/CD charts, all applications will be subjected to a stack of security scanning tools. These scans are run on check in of all code or configuration changes made to a given project.

A complete list of the security scanning functions that AppDat utilizes can be here launch

NOTE: AppDat compliance only requires a “clean” container scanning result. SAST or other security scan results are purely information for the customer and do not prevent AppDat application hosting.

Security Dashboards #

The findings from any of the CI/CD pipeline security scanning jobs can be monitored and reviewed with the project’s Security Dashboards as well as directly integrated into a project’s Merge Requests.

For full documentation on how to use the Gitlab Security Dashboards, please see here launch

Continuous Monitoring #

In addition to the security scanning that is incorporated into a specific project’s CI/CD pipelines, AppDat also performs daily container vulnerability scans of all application deployed to both the staging and production AppDat environments.

As application vulnerabilities are identified during these daily scans, the AppDat Security Team reviews and follows the Vulnerability Remediation Process defined below.

Vulnerability Remediation Process #

AppDat-Security-Vulnerability-Process

Customer Remediation Requirements #

If an AppDat SRE cannot correct a container scanning vulnerability within a customer’s project, then the responsible falls to the customer for remediation. As shown above the AppDat SRE will open a remediation ticket within the applicable customer project repository and assign the remediation due date based on the NASA vulnerability remediation timelines. The remediation timeline is documented as the following:

remediate-schedule

If an AppDat customer is unable to remediate a vulnerability or disputes the finding as being a “false positive” or “not applicable” then an AppDat SRE will support the customer in determining the next set of actions which may include:

  1. Recommended application changes to remediate
  2. Vulnerability dismissal (false positive or not-applicable)
  3. Creation of an AppDat SSP Plan of Action and Milestone (POAM) to extend remediation timelines.

If a system fails to remediate the vulnerability within the required timelines, the AppDat team may be forced to stop a customer’s deployment until a POAM or remediation can be deployed

Accessibility Scanning #

The AppDat platform also performs Accessibility Scanning launch . Accessibility findings follow the same process as vulnerability findings with an AppDat SRE opening a ticket on the applicable project and assigning it to the customer developers for remediation.

There are currently no strict remediation timelines for accessibility scanning results. However, this is subject to change in the future.

Cloud Service Account Credential Management #

Outside the scanning results for a customer’s application hosted with an AppDat environment, AppDat customers are also responsible for the security around the cloud service account credentials provided to them via project CI/CD variables or as injected into the application runtime environment within AppDat.

For more information on how AppDat provides cloud service account credentials see here