About MCaaS
Security Guardrails
MCaaS Application Security Guardrails
Below is an application security checklist recommended by OCISO DevSecOps team for MCaaS application. It covers the key security requirements and shows the stopper controls for MCaaS applications along with recommended security solutions/approaches for some of the security needs of your application. However, please note that this is not the complete list to meet all the NIST control requirements as the purpose of this document is not to provide the complete list.
| S.No | Description | Associated Control in CRM |
|---|---|---|
| 1 | Ensure all your containers are free of fixable critical and high vulnerability. </br> You can see the twistlock scan result of your container image in jenkins pipeline. In the near future GSA OCISO DevSecOps team will fail deployment for containers with high and critical findings. | RA-5 |
| 2 | Ensure your container images are built with least functionality, minimal software and packages/dependencies required for application. | CM-7(1) |
| 3 | Ensure your container images aligns with GSA Container image security benchmark | CM -2 |
| 4 | Ensure a trusted registry is used to pull the container image. Use GSA base container images, when available. (In the near future GSA OCISO DevSecOps team will provide GSA trusted internal registry and base images (on best effort basics) ). | RA-5 & PL-8 |
| 5 | Write down your calico policy based on your micro service and which micro service needs connection to what | AC-4 |
| 6 | Ensure your application dependencies, libraries and open source component is free of known and fixable vulnerability | RA-5 |
| 7 | Ensure open source code and components used in your application is well maintained and supported. Be mindful of software supply chain risk associated with un-managed , outdated and unknown provider/community of open source code.Use internal reusable components and libraries in application code, if available. | RA-5 & SA -11 (1) |
| 8 | Perform static code scanning of your application and remediate the findings. | SA -11 (1) |
| 9 | Ensure MFA on your web application. GSA SecureAuth , OKTA, login.gov, Max.gov are some commonly used solutions. | IA-2 (11) |
| 10 | Ensure your sensitive data (Eg: PCI/PII) is encrypted at the application layer. </br> Note: If your application doesn’t have PCI/PII or business sensitive data, volume level encryption provided by FCS data services or AWS using KMS key will suffice. Combination of AWS Encryption SDK and KMS can be utilized for application level encryption of sensitive fields. | SC (28) (1) |
| 11 | Develop a process for continuously replacing your container with latest patched vulnerability free containers. | RA-5 & SA-10 |
| 12 | Ensure all COTS or open source software/tools running in container are approved by CTO and listed in GEAR | PL-8 |
| 13 | Update COTS product or open source tool running in container to the latest release | RA-5 |
| 14 | Ensure external connection, database connection, API calls etc are over encrypted connection like TLS/https. </br> Note: Connections between pods/containers are over TLS by default because of uses of ISTIO in MCaaS platform. | SC-8 |
| 15 | Use AWS Secret manager instead of storing credentials or other secrets in containers images or docker files etc.. | SA-10 |
| 16 | Generate audit logs from containers | AU-2 |
| 17 | Generate logs from applications running in containers and standardize the process for application log review. | AU-12 & AU-2 |
| 18 | Ensure your production URL is scanned by NetSparker and findings are remediated. | RA-5 |
- On this page:
test