Skip to content
This repository has been archived by the owner on Oct 24, 2024. It is now read-only.

Assessment Finding SC-07 #268

Open
peterrowland opened this issue Sep 21, 2021 · 2 comments
Open

Assessment Finding SC-07 #268

peterrowland opened this issue Sep 21, 2021 · 2 comments
Assignees
@peterrowland
Labels
findings

Comments

@peterrowland
Copy link
Collaborator

During the assessment the SORN team did not provide control language or technical evidence to satisfy SC-7c. Cloud.gov does not allow direct inheritance for this portion of the co

SC-7: The team should implement rules to prevent the system-specified portion of the application from exchanging traffic with systems outside its own boundary over unsanctioned or unmonitored interfaces.
The SSP should be updated to provide specific information on how the application prevents exchange of traffic with systems outside its boundary.
@peterrowland peterrowland self-assigned this Sep 21, 2021
@peterrowland
Copy link
Collaborator Author

As it stands, there is nothing that prevents SORN DASH from reaching out to any app on the internet, and CF supports ASGs, which are not exposed tenants. No cloud.gov app can control that. Capability does not exist. No one can control their firewall rules.

@peterrowland
Copy link
Collaborator Author

cloud.gov has introduced restricted space types, can be moved to closed space types with outbound proxy with allow list of domain names. Question is whether ruby app respects proxy rules, if not would require some custom code

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@peterrowland peterrowland

Labels
findings
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peterrowland