From dd7911c1247e186aabaaa958bb246aeccf91dda7 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Wed, 16 Oct 2024 21:35:23 -0400 Subject: [PATCH 01/16] WIP - added empty Impact sections --- adr/007-software-bill-of-materials.md | 17 +++++++++++++++++ adr/008-load-testing.md | 17 +++++++++++++++++ adr/009-docker.md | 17 +++++++++++++++++ adr/010-iac-terraform.md | 16 ++++++++++++++++ adr/011-dast.md | 17 +++++++++++++++++ 5 files changed, 84 insertions(+) diff --git a/adr/007-software-bill-of-materials.md b/adr/007-software-bill-of-materials.md index c8020dd78..3193b0990 100644 --- a/adr/007-software-bill-of-materials.md +++ b/adr/007-software-bill-of-materials.md @@ -26,6 +26,23 @@ and hierarchical relationships. - CycloneDX can work with [Anchore/Grype](https://github.com/anchore/grype#recommended) for vulnerability scanning - CycloneDX is an accepted standard for the industry +## Impact + +### Positive + +- + + +### Negative + +- + + +### Risks + +- + + ### Related Issues - #76 diff --git a/adr/008-load-testing.md b/adr/008-load-testing.md index 522a01d44..42380b08d 100644 --- a/adr/008-load-testing.md +++ b/adr/008-load-testing.md @@ -28,6 +28,23 @@ real-life load conditions, both normal and extreme. - Easy to use UI - Simple setup and task configuration +## Impact + +### Positive + +- + + +### Negative + +- + + +### Risks + +- + + ### Related Issues - #76 diff --git a/adr/009-docker.md b/adr/009-docker.md index e56681026..7ef61eb2b 100644 --- a/adr/009-docker.md +++ b/adr/009-docker.md @@ -18,6 +18,23 @@ Docker is an open platform for developing, shipping, and running applications. D - When you’re ready, deploy your application into your production environment, as a container or an orchestrated service. - Allows for responsive deployment and scaling. +## Impact + +### Positive + +- + + +### Negative + +- + + +### Risks + +- + + [Reference](https://docs.docker.com/get-started/overview/) ### Related Issues diff --git a/adr/010-iac-terraform.md b/adr/010-iac-terraform.md index 9ad46421b..f1d6d1e04 100644 --- a/adr/010-iac-terraform.md +++ b/adr/010-iac-terraform.md @@ -30,6 +30,22 @@ There are probably even more. Terraform is multi-cloud and multi-tool, has a full-featured DSL, tracks state and dependencies, and is agentless. Terraform is also used by ReportStream. +## Impact + +### Positive + +- + + +### Negative + +- + + +### Risks + +- + ### Related Issues diff --git a/adr/011-dast.md b/adr/011-dast.md index afedb7477..7ce9148de 100644 --- a/adr/011-dast.md +++ b/adr/011-dast.md @@ -21,6 +21,23 @@ Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being mai [Reference](https://www.zaproxy.org/getting-started/) +## Impact + +### Positive + +- + + +### Negative + +- + + +### Risks + +- + + ### Related Issues - #77 From 0503eab6f8372f6f1c2e7b94ce4f108ff8fe9579 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Fri, 18 Oct 2024 11:02:29 -0400 Subject: [PATCH 02/16] Updated adr 007 - added Impact section - updated content and formatting --- adr/007-software-bill-of-materials.md | 35 ++++++++++++++++++--------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/adr/007-software-bill-of-materials.md b/adr/007-software-bill-of-materials.md index 3193b0990..91004d6a3 100644 --- a/adr/007-software-bill-of-materials.md +++ b/adr/007-software-bill-of-materials.md @@ -4,11 +4,7 @@ Date: 2022-12-07 ## Decision -In the context of generating a secure modern application, -facing the need to monitor application dependencies and generate a -reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) -and against the use of Anchore/Syft or Snyk FOSSID for SBOM generation at release of a version build, -accepting that an SBOM needs to be generated during the CI/CD process +In the context of generating a secure modern application, facing the need to monitor application dependencies and generate a reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) and we chose not to use Anchore/Syft or Snyk FOSSID" for a smoother read.for SBOM generation at release of a version build, accepting that an SBOM needs to be generated during the CI/CD process ## Status @@ -17,10 +13,7 @@ Accepted. ## Context -An SBOM (Software Bill of Materials) is a machine-readable inventory -document (that will be generated with each release build) that captures -all the software components and dependencies, info on those components, -and hierarchical relationships. +An SBOM (a Software Bill of Materials) is a machine-readable inventory document (that will be generated with each release build) that captures all the software components and dependencies, info on those components, and hierarchical relationships. - CycloneDX plugin for gradle can be automated for use with existing CI/CD pipeline - CycloneDX can work with [Anchore/Syft](https://github.com/anchore/syft#supported-ecosystems) for format conversion - CycloneDX can work with [Anchore/Grype](https://github.com/anchore/grype#recommended) for vulnerability scanning @@ -29,18 +22,36 @@ and hierarchical relationships. ## Impact ### Positive +- **Automation in CI/CD:** The CycloneDX Gradle Plugin can seamlessly integrate SBOM generation into the CI/CD pipeline, ensuring the SBOM is always up to date with each release. + + +- **Industry Standard:** CycloneDX is widely accepted in the industry, ensuring compatibility with other tools and making compliance with security standards easier. + + +- **Vulnerability Scanning:** With the ability to integrate with tools like Anchore/Grype, one can easily add vulnerability scanning to the process. + + +- **Format Conversion:** supports integration with Anchore/Syft for SBOM format conversion, providing flexibility to meet different ecosystem requirements -- ### Negative -- +- **Tooling Overhead:** Maintaining additional tooling for SBOM generation (CycloneDX and optional tools like Grype and Syft) could increase the overhead for the project and team, in terms of learning and managing multiple components. + + +- **Build Time Impact:** The generation of an SBOM might increase the build time, especially as the project grows in complexity. ### Risks -- +- **Compliance Dependence:** Relying on CycloneDX as the primary tool for SBOM generation means that any bugs, limitations, or updates to the plugin can impact your compliance process. + + +- **Tool Maintenance:** Keeping CycloneDX and its integration with vulnerability scanning tools like Grype up to date _could_ require ongoing maintenance efforts to ensure compatibility and security. + + +- **Integration with Other Tools:** Future security or compliance needs _could_ require integration with other SBOM standards or tools not supported by CycloneDX, limiting flexibility. ### Related Issues From d4749ebd289616c24d1fb1d92b5dd24c96ac2a98 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Fri, 18 Oct 2024 11:11:58 -0400 Subject: [PATCH 03/16] Updated adr 008 - updated for clarity and formatting - filled Impact section --- adr/008-load-testing.md | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/adr/008-load-testing.md b/adr/008-load-testing.md index 42380b08d..56f4885b1 100644 --- a/adr/008-load-testing.md +++ b/adr/008-load-testing.md @@ -4,15 +4,8 @@ Date: 2022-12-21 ## Decision -In the context of maintaining quality of service, -facing the need to consistently monitor and address performance concerns +In the context of maintaining quality of service and the need to consistently monitor and address performance concerns, we decided to use [Locust.io](https://locust.io/) instead of [Artillery.io](https://www.artillery.io/) or [JMeter](https://jmeter.apache.org/) for load testing. We accept that performance testing needs to be completed as part of the definition of done. -we decided to use the [Locust.io](https://locust.io/) -and against the use of [Artillery.io](https://www.artillery.io/) -or [JMeter](https://jmeter.apache.org/) - -for load testing, accepting that performance testing needs to completed -as a part of the definition of done. ## Status @@ -20,29 +13,39 @@ Accepted. ## Context -Load Testing assists in determining the performance of a system under +Load Testing will assist in determining the performance of a system under real-life load conditions, both normal and extreme. - - Locust.io is free, open-source, scalable - - Tests written in Python - - Works with gRPC servers - - Easy to use UI - - Simple setup and task configuration ## Impact ### Positive -- +- **Scalability:** Locust.io is highly scalable and can simulate millions of users, making it ideal for both small-scale and large-scale load tests. + + +- **Python-Based:** Writing tests in Python allows for flexibility and ease of use, especially for teams already familiar with the language. + + +- **Cost Efficiency:** Locust.io is open-source, and doesn’t require licensing fees, which can reduce the overall cost of performance testing. ### Negative -- +- **Limited Features:** Compared to more feature-rich tools, Locust.io might lack advanced performance monitoring or detailed reporting features. + + +- **Manual Script Writing:** Test scripts need to be manually written, which could be more time-consuming compared to GUI-based test creation offered by tools like JMeter or Artillery.io. ### Risks -- +- **Scalability Complexity:** While Locust.io is scalable, setting up distributed testing across multiple machines can introduce complexity, especially for teams with limited experience in handling distributed systems. + + +- **Tool Ecosystem:** If future testing needs expand beyond Locust.io's capabilities, there may be a need to switch or integrate with other tools, leading to additional complexity or costs. + + +- **Resource Usage:** Running large-scale tests using Locust.io may require significant system resources, which could impact cost and infrastructure planning. ### Related Issues From 9311fb1a8c511a8b1ca13b3d1118160815ebb2f6 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Fri, 18 Oct 2024 11:32:53 -0400 Subject: [PATCH 04/16] 007 - Removed unnecessary bulletpoints --- adr/007-software-bill-of-materials.md | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/adr/007-software-bill-of-materials.md b/adr/007-software-bill-of-materials.md index 91004d6a3..bb21dceae 100644 --- a/adr/007-software-bill-of-materials.md +++ b/adr/007-software-bill-of-materials.md @@ -4,7 +4,7 @@ Date: 2022-12-07 ## Decision -In the context of generating a secure modern application, facing the need to monitor application dependencies and generate a reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) and we chose not to use Anchore/Syft or Snyk FOSSID" for a smoother read.for SBOM generation at release of a version build, accepting that an SBOM needs to be generated during the CI/CD process +In the context of generating a secure modern application, facing the need to monitor application dependencies and generate a reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) and we chose not to use [Anchore/Syft](https://github.com/anchore/syft#supported-ecosystems) or Snyk FOSSID" for a smoother read.for SBOM generation at release of a version build, accepting that an SBOM needs to be generated during the CI/CD process ## Status @@ -14,10 +14,6 @@ Accepted. ## Context An SBOM (a Software Bill of Materials) is a machine-readable inventory document (that will be generated with each release build) that captures all the software components and dependencies, info on those components, and hierarchical relationships. -- CycloneDX plugin for gradle can be automated for use with existing CI/CD pipeline -- CycloneDX can work with [Anchore/Syft](https://github.com/anchore/syft#supported-ecosystems) for format conversion -- CycloneDX can work with [Anchore/Grype](https://github.com/anchore/grype#recommended) for vulnerability scanning -- CycloneDX is an accepted standard for the industry ## Impact @@ -28,7 +24,7 @@ An SBOM (a Software Bill of Materials) is a machine-readable inventory document - **Industry Standard:** CycloneDX is widely accepted in the industry, ensuring compatibility with other tools and making compliance with security standards easier. -- **Vulnerability Scanning:** With the ability to integrate with tools like Anchore/Grype, one can easily add vulnerability scanning to the process. +- **Vulnerability Scanning:** With the ability to integrate with tools like [Anchore/Grype](https://github.com/anchore/grype#recommended), one can easily add vulnerability scanning to the process. - **Format Conversion:** supports integration with Anchore/Syft for SBOM format conversion, providing flexibility to meet different ecosystem requirements From f02dbfe20fd4d07a2ca7bc8ad5b5929e3c11af77 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Fri, 18 Oct 2024 11:37:34 -0400 Subject: [PATCH 05/16] Updated adr 009 - Docker - filled Impact section - updated formatting --- adr/009-docker.md | 35 +++++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/adr/009-docker.md b/adr/009-docker.md index 7ef61eb2b..d43027129 100644 --- a/adr/009-docker.md +++ b/adr/009-docker.md @@ -6,6 +6,8 @@ Date: 2022-01-04 We will use [Docker](https://docs.docker.com/get-started/overview/) for containerization of our application. +- [Reference](https://docs.docker.com/get-started/overview/) + ## Status Accepted. @@ -13,29 +15,46 @@ Accepted. ## Context Docker is an open platform for developing, shipping, and running applications. Docker provides the ability to package and run an application in a loosely isolated environment. Some benefits of using Docker: -- Develop your application and its supporting components using containers. -- The container becomes the unit for distributing and testing your application. -- When you’re ready, deploy your application into your production environment, as a container or an orchestrated service. -- Allows for responsive deployment and scaling. + ## Impact ### Positive -- +- **Compatibility:** Docker containers can run consistently across various environments (development, testing, production), reducing compatibility issues and making it easier to move applications between different environments. + + +- **Isolation:** Each container runs in its own isolated environment, which minimizes conflicts between applications and simplifies dependency management. + + +- **Scalability:** Docker supports scaling applications easily through container orchestration tools like Kubernetes, allowing for better resource management and load handling. + + +- **Rapid Development:** Containers can be quickly built, tested, and deployed, accelerating the development cycle and improving productivity. + + +- **Ecosystem and Community:** Docker has a large and active community, providing a wealth of resources, tools, and best practices that can help in troubleshooting and optimization. ### Negative -- +- **Complexity in Orchestration:** managing a large number of containers can introduce complexity, especially without proper orchestration tools like Kubernetes. + + +- **Security Considerations:** Containers share the same OS kernel, which can pose security risks if not properly managed (e.g., vulnerability exposure). ### Risks -- +- **Vendor Lock-In:** Relying on specific Docker features or services might lead to challenges in migrating to other containerization solutions in the future. + + +- **Configuration Drift:** As applications evolve, keeping container configurations consistent across different environments can be challenging, potentially leading to discrepancies. + + +- **Data Persistence:** Managing data persistence for stateful applications can be complicated with Docker containers, requiring additional solutions like volumes or external databases. -[Reference](https://docs.docker.com/get-started/overview/) ### Related Issues From 9ab9a40c2060ccbb984c28d7f7355b2066e6556b Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Fri, 18 Oct 2024 12:05:34 -0400 Subject: [PATCH 06/16] Updated adr 010 - filled in Impact section - updated formatting --- adr/010-iac-terraform.md | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/adr/010-iac-terraform.md b/adr/010-iac-terraform.md index f1d6d1e04..41cbb6230 100644 --- a/adr/010-iac-terraform.md +++ b/adr/010-iac-terraform.md @@ -1,4 +1,4 @@ -# 10. Terraform IaC for Deploys +# 10. Terraform IaC (Infrastructure as Code) for Deploys Date: 2023-01-04 @@ -12,8 +12,7 @@ Accepted. ## Context -Infrastructure as Code (IaC) is a industry best practice to get repeatable and resilient deployments of applications and -associated infrastructure into the cloud. +Infrastructure as Code (IaC) is an industry best practice to get repeatable and resilient deployments of applications and associated infrastructure into the cloud. There are many IaC options to deploy to Azure. @@ -34,17 +33,41 @@ Terraform is also used by ReportStream. ### Positive -- +- **Multi-Cloud Support:** Terraform allows deployment across multiple cloud providers (e.g., AWS, Azure, GCP), providing flexibility and avoiding vendor lock-in. + + +- **State Management:** Terraform tracks the state of your infrastructure, which helps prevent configuration drift and makes it easier to manage changes over time. + + +- **Declarative Language:** The HashiCorp Configuration Language (HCL) is easy to read and write, making it accessible for both developers and operations teams. + + +- **Community, Ecosystem and Version Control:** Terraform has a large community, a wealth of modules, and an extensive ecosystem of plugins and integrations, making it easier to find solutions and share best practices. Storing Terraform configurations in Git allow teams to track changes and roll them back if needed. + + +- **Automation and Integration:** Terraform can be integrated into CI/CD pipelines, allowing for automated infrastructure deployments alongside application code. ### Negative -- + +- **State File Management:** Managing the state file can introduce complexities, especially in teams where multiple people may modify infrastructure, leading to potential conflicts or errors. + + +- **Dependency Management:** Although Terraform manages dependencies between resources, complex infrastructures may require careful planning and a deep understanding of how dependencies interact, which can complicate deployment processes. ### Risks -- +- **State File Security:** The state file can contain sensitive information, so it's critical to implement proper security measures to protect it (e.g., using remote state storage with access controls). + + +- **Inconsistencies Across Environments:** Without strict version control and practices in place, discrepancies can arise between different environments (development, staging, production). + + +- **Vendor Lock-In:** While Terraform itself is multi-cloud, reliance on specific providers' features or modules can lead to some level of vendor lock-in over time. + +- **Tool Updates:** Regular updates to Terraform or its providers could introduce breaking changes or require modifications to existing infrastructure code, which might affect ongoing deployments. ### Related Issues From ab380384328151db26872a91bba0ae8685c80876 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Fri, 18 Oct 2024 12:23:31 -0400 Subject: [PATCH 07/16] Updated adr 011 - filled in Impact section for 011 - updated formatting --- adr/011-dast.md | 39 +++++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/adr/011-dast.md b/adr/011-dast.md index 7ce9148de..faf3fffea 100644 --- a/adr/011-dast.md +++ b/adr/011-dast.md @@ -1,9 +1,12 @@ -# 11. OWASP ZAP Dynamic Application Security Testing +# 11. OWASP ZAP Dynamic Application Security Testing (DAST) Date: 2023-02-06 ## Decision +- **OWASP** - [Open Web Application Security Project](https://owasp.org/about) +- **ZAP** - Zed Attack Proxy + We will use [OWASP ZAP](https://www.zaproxy.org/) for DAST scanning of our application. ## Status @@ -12,30 +15,46 @@ Accepted. ## Context -Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. -- Has Docker image which allows for an isolated testing environment. -- It is open source and widely used. -- Provides crossed-platform. -- Has extensive community support. -- Can generate reports. +ZAP is a free, open-source penetration testing tool maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. [Reference](https://www.zaproxy.org/getting-started/) ## Impact ### Positive + +- Integration Capabilities: ZAP can be integrated into CI/CD pipelines, enabling automated security testing as part of the software development lifecycle. + + +- User-Friendly Interface: ZAP has an easy-to-use interface that simplifies the process of running scans and analyzing results, making it accessible for teams with varying levels of expertise. + + +- Comprehensive Reporting: ZAP can generate detailed reports that help identify vulnerabilities and guide remediation efforts, useful for compliance and audits. -- +- Community Support: The active community surrounding ZAP provides a wealth of plugins, resources, and support, facilitating easier troubleshooting and best practices sharing. ### Negative -- +- **Learning Curve:** Teams new to penetration testing tools may face a learning curve to fully leverage ZAP's capabilities. + + +- **Resource Intensive:** Running ZAP scans, especially on larger applications, can consume significant system resources and impact performance during testing. + + +- **False Positives:** Like many DAST tools, ZAP may produce false positives, requiring additional time for manual verification of identified vulnerabilities. + + +- **Limited Advanced Features:** While ZAP is powerful, it may lack some advanced features found in commercial DAST tools, such as specialized vulnerability assessments. ### Risks -- +- **Configuration Errors:** Incorrect configuration of ZAP may lead to incomplete scans or misinterpretation of results, potentially leaving vulnerabilities undetected. + +- **Production Systems Impact:** Running DAST scans on production environments can introduce performance issues or impact user experience if not managed carefully. + +- **Reliance on Community Support:** Relying on community resources for troubleshooting can lead to slower issue resolution compared to commercial tools with dedicated support. ### Related Issues From f790d7e37119de5e168778db3ef9fe4e5c4ff0e5 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Wed, 23 Oct 2024 13:21:26 -0400 Subject: [PATCH 08/16] Fixing requested/suggested changes - applying changes suggested in the PR --- adr/007-software-bill-of-materials.md | 2 +- adr/009-docker.md | 2 +- adr/011-dast.md | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/adr/007-software-bill-of-materials.md b/adr/007-software-bill-of-materials.md index bb21dceae..f4eba44e4 100644 --- a/adr/007-software-bill-of-materials.md +++ b/adr/007-software-bill-of-materials.md @@ -4,7 +4,7 @@ Date: 2022-12-07 ## Decision -In the context of generating a secure modern application, facing the need to monitor application dependencies and generate a reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) and we chose not to use [Anchore/Syft](https://github.com/anchore/syft#supported-ecosystems) or Snyk FOSSID" for a smoother read.for SBOM generation at release of a version build, accepting that an SBOM needs to be generated during the CI/CD process +In the context of generating a secure modern application, facing the need to monitor application dependencies and generate a reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) and we chose not to use [Anchore/Syft](https://github.com/anchore/syft#supported-ecosystems) or Snyk FOSSID" for a smoother read. ## Status diff --git a/adr/009-docker.md b/adr/009-docker.md index d43027129..d70f71a4b 100644 --- a/adr/009-docker.md +++ b/adr/009-docker.md @@ -38,7 +38,7 @@ Docker is an open platform for developing, shipping, and running applications. D ### Negative -- **Complexity in Orchestration:** managing a large number of containers can introduce complexity, especially without proper orchestration tools like Kubernetes. +- **Complexity in Orchestration:** managing a large number of containers can introduce complexity, especially without proper orchestration tools. - **Security Considerations:** Containers share the same OS kernel, which can pose security risks if not properly managed (e.g., vulnerability exposure). diff --git a/adr/011-dast.md b/adr/011-dast.md index faf3fffea..1233ad91b 100644 --- a/adr/011-dast.md +++ b/adr/011-dast.md @@ -23,16 +23,16 @@ ZAP is a free, open-source penetration testing tool maintained under the umbrell ### Positive -- Integration Capabilities: ZAP can be integrated into CI/CD pipelines, enabling automated security testing as part of the software development lifecycle. +- **Integration Capabilities:** ZAP can be integrated into CI/CD pipelines, enabling automated security testing as part of the software development lifecycle. -- User-Friendly Interface: ZAP has an easy-to-use interface that simplifies the process of running scans and analyzing results, making it accessible for teams with varying levels of expertise. +- **User-Friendly Interface:** ZAP has an easy-to-use interface that simplifies the process of running scans and analyzing results, making it accessible for teams with varying levels of expertise. -- Comprehensive Reporting: ZAP can generate detailed reports that help identify vulnerabilities and guide remediation efforts, useful for compliance and audits. +- **Comprehensive Reporting:** ZAP can generate detailed reports that help identify vulnerabilities and guide remediation efforts, useful for compliance and audits. -- Community Support: The active community surrounding ZAP provides a wealth of plugins, resources, and support, facilitating easier troubleshooting and best practices sharing. +- **Community Support:** The active community surrounding ZAP provides a wealth of plugins, resources, and support, facilitating easier troubleshooting and best practices sharing. ### Negative From 0992f01aa883d40c337548853a68267e251960e2 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Wed, 23 Oct 2024 13:24:50 -0400 Subject: [PATCH 09/16] Added missing . --- adr/007-software-bill-of-materials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/adr/007-software-bill-of-materials.md b/adr/007-software-bill-of-materials.md index f4eba44e4..e5e7e8cb0 100644 --- a/adr/007-software-bill-of-materials.md +++ b/adr/007-software-bill-of-materials.md @@ -27,7 +27,7 @@ An SBOM (a Software Bill of Materials) is a machine-readable inventory document - **Vulnerability Scanning:** With the ability to integrate with tools like [Anchore/Grype](https://github.com/anchore/grype#recommended), one can easily add vulnerability scanning to the process. -- **Format Conversion:** supports integration with Anchore/Syft for SBOM format conversion, providing flexibility to meet different ecosystem requirements +- **Format Conversion:** supports integration with Anchore/Syft for SBOM format conversion, providing flexibility to meet different ecosystem requirements. From 3ace96fe24eccff99d8beda93f13c052a985b0ed Mon Sep 17 00:00:00 2001 From: Tiffini Johnson Date: Wed, 23 Oct 2024 13:27:14 -0400 Subject: [PATCH 10/16] Removed duplicated reference --- adr/009-docker.md | 1 - 1 file changed, 1 deletion(-) diff --git a/adr/009-docker.md b/adr/009-docker.md index d70f71a4b..fc1c1e253 100644 --- a/adr/009-docker.md +++ b/adr/009-docker.md @@ -6,7 +6,6 @@ Date: 2022-01-04 We will use [Docker](https://docs.docker.com/get-started/overview/) for containerization of our application. -- [Reference](https://docs.docker.com/get-started/overview/) ## Status From 795bc0754b3b5e74d0f08815653639fd96569e2c Mon Sep 17 00:00:00 2001 From: James Herr Date: Wed, 23 Oct 2024 12:37:20 -0500 Subject: [PATCH 11/16] Fixed TimeGenerated --- operations/template/alert.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/template/alert.tf b/operations/template/alert.tf index aa99bd167..37d75b76b 100644 --- a/operations/template/alert.tf +++ b/operations/template/alert.tf @@ -137,7 +137,7 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "ti-log-errors-alert" { query = <<-QUERY AppServiceConsoleLogs - | where TimeGenerated >= ago(00.001m) + | where TimeGenerated >= ago(30m) and TimeGenerated <= now() | project columnifexists("ResultDescription", 'default_value') | project JsonResult = parse_json(ResultDescription) From cc9cf34f1366bf71dea893ab0cbc0c2bcab0a8eb Mon Sep 17 00:00:00 2001 From: James Herr Date: Wed, 23 Oct 2024 12:56:00 -0500 Subject: [PATCH 12/16] Testing alert fix for not hooking up to slack --- operations/template/alert.tf | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/operations/template/alert.tf b/operations/template/alert.tf index 37d75b76b..898356a2d 100644 --- a/operations/template/alert.tf +++ b/operations/template/alert.tf @@ -136,14 +136,11 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "ti-log-errors-alert" { enabled = true query = <<-QUERY - AppServiceConsoleLogs - | where TimeGenerated >= ago(30m) + AppServiceConsoleLogs + | where ResultDescription contains 'Error' + and TimeGenerated >= ago(30m) and TimeGenerated <= now() - | project columnifexists("ResultDescription", 'default_value') - | project JsonResult = parse_json(ResultDescription) - | evaluate bag_unpack(JsonResult) : (level:string) - | where level in ( 'ERROR' ) - | summarize count() + | summarize count() QUERY severity = 3 From a7212c637fd9062045ecc4b874bfe99967643553 Mon Sep 17 00:00:00 2001 From: Tiffini Johnson <86614374+tjohnson7021@users.noreply.github.com> Date: Thu, 24 Oct 2024 11:26:52 -0400 Subject: [PATCH 13/16] Update adr/007-software-bill-of-materials.md remove quote Co-authored-by: halprin --- adr/007-software-bill-of-materials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/adr/007-software-bill-of-materials.md b/adr/007-software-bill-of-materials.md index e5e7e8cb0..fbf2df48d 100644 --- a/adr/007-software-bill-of-materials.md +++ b/adr/007-software-bill-of-materials.md @@ -4,7 +4,7 @@ Date: 2022-12-07 ## Decision -In the context of generating a secure modern application, facing the need to monitor application dependencies and generate a reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) and we chose not to use [Anchore/Syft](https://github.com/anchore/syft#supported-ecosystems) or Snyk FOSSID" for a smoother read. +In the context of generating a secure modern application, facing the need to monitor application dependencies and generate a reliable SBOM, we decided to use the [CycloneDX Gradle Plugin](https://github.com/CycloneDX/cyclonedx-gradle-plugin#usage) and we chose not to use [Anchore/Syft](https://github.com/anchore/syft#supported-ecosystems) or Snyk FOSSID for a smoother read. ## Status From 23e181fb947047ec5d8982ad67b99c9981f60e3b Mon Sep 17 00:00:00 2001 From: James Herr Date: Thu, 24 Oct 2024 11:27:58 -0500 Subject: [PATCH 14/16] Updated log error alert to include more information Co-Authored-By: halprin --- operations/template/alert.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/operations/template/alert.tf b/operations/template/alert.tf index 898356a2d..01343195c 100644 --- a/operations/template/alert.tf +++ b/operations/template/alert.tf @@ -136,11 +136,11 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "ti-log-errors-alert" { enabled = true query = <<-QUERY - AppServiceConsoleLogs - | where ResultDescription contains 'Error' - and TimeGenerated >= ago(30m) - and TimeGenerated <= now() - | summarize count() + AppServiceConsoleLogs + | project columnifexists("ResultDescription", 'default_value') + | project JsonResult = parse_json(ResultDescription) + | evaluate bag_unpack(JsonResult) : (level: string, message: string) + | where level in ( 'ERROR' ) QUERY severity = 3 From 14741eace2104d8c8cc2d1216e0966fc8e8abf08 Mon Sep 17 00:00:00 2001 From: James Herr Date: Thu, 24 Oct 2024 11:45:45 -0500 Subject: [PATCH 15/16] Changed frequency to 5mins Co-Authored-By: halprin --- operations/template/alert.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/template/alert.tf b/operations/template/alert.tf index 01343195c..7b9715069 100644 --- a/operations/template/alert.tf +++ b/operations/template/alert.tf @@ -144,8 +144,8 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "ti-log-errors-alert" { QUERY severity = 3 - frequency = 10 - time_window = 30 + frequency = 5 + time_window = 15 auto_mitigation_enabled = true trigger { From 715ba9cc3bd7360a112617c87ed0b22d83871cb6 Mon Sep 17 00:00:00 2001 From: James Herr Date: Thu, 24 Oct 2024 12:33:27 -0500 Subject: [PATCH 16/16] Changed threshold operator to GreaterThanOrEqual Co-Authored-By: halprin --- operations/template/alert.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/template/alert.tf b/operations/template/alert.tf index a53355739..a6094f132 100644 --- a/operations/template/alert.tf +++ b/operations/template/alert.tf @@ -272,7 +272,7 @@ resource "azurerm_monitor_scheduled_query_rules_alert" "ti-log-errors-alert" { auto_mitigation_enabled = true trigger { - operator = "GreaterThan" + operator = "GreaterThanOrEqual" threshold = 1 }