Skip to content

skillstream/secure-dev-evidence

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

Secure Development Evidence Pack

This resource shares some general information about Skillstream's software development lifecycle, with particular reference to our security practices, and links to evidence for anyone undertaking due diligence.

The lifecycle is backed by a variant of the 'git-flow' branching strategy, with Atlassian Jira tracking features and issues, and GitHub supporting peer review, test automation and release tracking.

List of Tools

Day-to-day

Below is a list of tools we use during development to assist us, backed by Github Actions as laid-out in this sample workflow.

  • bundler-audit checks 3rd-party libraries against the CVE database for known vulnerabilities in Ruby gems.
  • yarn-audit checks 3rd-party libraries against the CVE database for known vulnerabilities in nvm packages.
  • Brakeman analyses projects which use the Ruby on Rails framework for common vulnerabilities.
  • Rubocop enforces in-house coding style and is also good at highlighting the subset of bugs which can arise from violating conventions, e.g. variable shadowing, method duplication after a merge, etc.
  • RSpec is used to define expected behaviour and test those expectations. Some of those expectations explicitly cover access control, but other tests will prevent the many bugs that could also have had security implications.

Penetration testing

These are the main tools we use for periodic review of application security:

  • OWASP ZAP to scan our web apps for vulnerabilities.
  • Kali Linux VM because it comes pre-installed with ZAP and a lot of other useful tools, and is a safe environment for handling malware if required.
Evidence

Devops

Configuration

For our cloud-native environments, we deploy Docker containers to Kubernetes clusters.

For classic environments, we manage the nodes hosting our applications using Chef. The provisioning and configuration of each node (where a node is a VM or dedicated server) is defined in our 'chef kitchen' repo, version-tracked and change-managed using git, GitHub and Jira.

Evidence

Monitoring

Our live monitoring solution is an in-house tool we call smon. It was built as an aggregator of collectd statistics from our nodes, but has come to act as a central board for

  • monitoring system health
  • monitoring application installations
  • tracking software releases through staging environments into production

In addition to smon, we also run Logwatch on each linux node (evidence: sample output from Logwatch). Using collectd to aggregate the same data as Logwatch is on the roadmap for smon.

We additionally have event logging in our Akamai (formerly Linode) infrastructure management console.

Evidence

About

Secure Development Evidence Pack

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published