Merge branch 'jarv/readiness-infrasec' into 'master'

Update the Infrasec portions of the Readiness template

See merge request !181

.gitlab/issue_templates/production_readiness.md

@@ -83,6 +83,14 @@ _The items below will be reviewed by the Reliability team._
   - List the member(s) of the team who built the feature will be on call for the launch.
   - List the external and internal dependencies to the application (ex: redis, postgres, etc) for this feature and how the service will be impacted by a failure of that dependency.
 
+## Infrastructure
+
+_The items below will be reviewed by the Reliability team._
+
+- [ ] Do we use IaC (e.g., Terraform) for all the infrastructure related to this feature? If not, what kind of resources are not covered?
+- [ ] Is the service covered by any DDoS protection solution (GCP/AWS load-balancers or Cloudflare usually cover this)?
+- [ ] Are all cloud infrastructure resources labeled according to the [Infrastructure Labels and Tags](https://about.gitlab.com/handbook/infrastructure-standards/labels-tags/) guidelines?
+
 ### Operational Risk
 
 _The items below will be reviewed by the Reliability team._
@@ -115,56 +123,30 @@ _The items below will be reviewed by the Infrasec team._
   - DNS names:
   - Entry-points exposed to the internet (Public IPs, Load-Balancers, Buckets, etc...):
   - Other (anything relevant that might be worth mention):
-
-### Secure Software Development Life Cycle (SSDLC)
-
-_The items below will be reviewed by the Infrasec team._
-
-- [ ] Is the configuration following a security standard? (CIS is a good baseline for example)
-- [ ] All cloud infrastructure resources are labeled according to the [Infrastructure Labels and Tags](https://about.gitlab.com/handbook/infrastructure-standards/labels-tags/) guidelines
 - [ ] Were the [GitLab security development guidelines](https://docs.gitlab.com/ee/development/secure_coding_guidelines.html) followed for this feature?
-- [ ] Do we have an automatic procedure to update the infrastructure (OS, container images, packages, etc...)
-- [ ] Do we use IaC (Terraform) for all the infrastructure related to this feature? If not, what kind of resources are not covered?
-- [ ] Do we have secure static code analysis tools ([kics](https://github.com/Checkmarx/kics) or [checkov](https://github.com/bridgecrewio/checkov)) covering this feature's Terraform?
-- If there's a new Terraform state:
-  - [ ] Where is to Terraform state stored, and who has access to it?
-  - [ ] Does this feature add secrets to the Terraform state? If yes, can they be stored in a secrets manager?
-- If we're creating new containers:
-  - [ ] Are we using a distroless base image?
-  - Do we have security scanners covering these containers?
-    - [ ] `kics` or `checkov` for Dockerfiles for example
-    - [ ] [GitLab's container](https://docs.gitlab.com/ee/user/application_security/container_scanning/#configuration) scanner for vulnerabilities
+- [ ] Do we have an automatic procedure to update the infrastructure (OS, container images, packages, etc...). For example, using unattended upgrade or [renovate bot](https://github.com/renovatebot/renovate) to keep dependencies up-to-date?
+- [ ] For IaC (e.g., Terraform), is there any secure static code analysis tools like ([kics](https://github.com/Checkmarx/kics) or [checkov](https://github.com/bridgecrewio/checkov))? If not and new IaC is being introduced, please explain why.
+- [ ] If we're creating new containers (e.g., a Dockerfile with an image build pipeline), are we using `kics` or `checkov` to scan Dockerfiles or [GitLab's container](https://docs.gitlab.com/ee/user/application_security/container_scanning/#configuration) scanner for vulnerabilities?
 
 ### Identity and Access Management
 
 _The items below will be reviewed by the Infrasec team._
 
 - [ ] Are we adding any new forms of Authentication (New service-accounts, users/password for storage, OIDC, etc...)?
-- [ ] Does it follow the least privilege principle?
-- If we are adding any new Data Storage (Databases, buckets, etc...):
-  - [ ] What kind of data is stored on each system? (secrets, customer data, audit, etc...)
-  - [ ] How is data rated according to our [data classification standard](https://about.gitlab.com/handbook/engineering/security/data-classification-standard.html) (customer data is RED)
-  - [ ] Is data encrypted at REST? (If the storage is provided by a GCP service, the answer is most likely yes)
-  - [ ] Do we have audit logs on data access?
-- Network security (encryption and ports should be clear in the architecture diagram above):
-  - [ ] Firewalls follow the least privilege principle (w/ network policies in Kubernetes or firewalls on cloud provider)
-  - [ ] Is the service covered by any DDoS protection solution (GCP/AWS load-balancers or Cloudflare usually cover this)
-  - [ ] Is the service covered by a WAF (Web Application Firewall)
-
-### Logging & Audit
-
-_The items below will be reviewed by the Infrasec team._
-
- - [ ] Is sensitive customer data visible in logging?
- - [ ] Ensure we are keeping required access and audit logs for compliance, and only what is necessary.
+- [ ] Was effort put in to ensure that the new service follows the [least privilege principle](https://en.wikipedia.org/wiki/Principle_of_least_privilege), so that permissions are reduced as much as possible?
+- [ ] Do firewalls follow the least privilege principle (w/ network policies in Kubernetes or firewalls on cloud provider)?
+- [ ] Is the service covered by a [WAF (Web Application Firewall)](https://cheatsheetseries.owasp.org/cheatsheets/Secure_Cloud_Architecture_Cheat_Sheet.html#web-application-firewall) in [Cloudflare](https://gitlab.com/gitlab-com/runbooks/-/tree/master/docs/cloudflare#how-we-use-page-rules-and-waf-rules-to-counter-abuse-and-attacks)?
 
-### Compliance
+### Logging, Audit and Data Access
 
 _The items below will be reviewed by the Infrasec team._
 
+- [ ] Did we make an effort to redact customer data from logs?
+- [ ] What kind of data is stored on each system (secrets, customer data, audit, etc...)?
+- [ ] How is data rated according to our [data classification standard](https://about.gitlab.com/handbook/engineering/security/data-classification-standard.html) (customer data is RED)?
+- [ ] Do we have audit logs for when data is accessed? If you are unsure or if using Reliability's central logging and a new pubsub topic was created, create an issue in the [Security Logging Project](https://gitlab.com/gitlab-com/gl-security/engineering-and-research/security-logging/security-logging/-/issues/new?issuable_template=add-remove-change-log-source) using the `add-remove-change-log-source` template.
  - [ ] Ensure appropriate logs are being kept for compliance and requirements for retention are met.
- - [ ] Is the service subject to any regulatory/compliance standards? If so, detail which and provide details on applicable controls, management processes, additional monitoring, and mitigating factors.
- - [ ] If the data classification = Red for the new environment, please create a [Security Compliance Intake issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/security-compliance-commercial-and-dedicated/security-compliance-intake/-/issues/new?issue[title]=System%20Intake:%20%5BSystem%20Name%20FY2%23%20Q%23%5D&issuable_template=intakeform).
+ - [ ] If the data classification = Red for the new environment, please create a [Security Compliance Intake issue](https://gitlab.com/gitlab-com/gl-security/security-assurance/security-compliance-commercial-and-dedicated/security-compliance-intake/-/issues/new?issue[title]=System%20Intake:%20%5BSystem%20Name%20FY2%23%20Q%23%5D&issuable_template=intakeform). Note this is not necessary if the service is deployed in existing Production infrastructure.
 
 ## Beta