DRIs for handling various tasks related to security vulnerability
Background
Long term DRIs of security vulnerabilities are necessary to avoid making any single development group a single point of failure (SPOF) to the FedRAMP program. groupdistribution triaged all reported failures (more than 1500) in the vanilla scanner reports, de-duplicated instances, automated report post processing, and handled about 65-70% severity1 and severity2 confirmed vulnerabilities reported from the AppSec scans. groupstatic analysis and groupcomposition analysis had similar experience while working on vulnerabilities from scanners.
The vulnerabilities are typically discovered in two types of scans - dependency scan and container image scan. The dependency scan covers the 3rd party components that are used in GitLab product and shipped to customers, such as ruby gems, functional applications, etc. The container image scan covers all the container images GitLab ships to customers, usually built on top of base images, such as RedHat UBI.
DRIs
- Investigate/Triage
- Security team is responsible to triage the detected vulnerabilities and make their best guess to assign to a development group.
- The triage shall filter out duplicates and false alarms, and validate the actual impact to GitLab, for example there are legitimate CVEs that are not exploitable in GitLab application.
- There is not a default development group to assign to and it should be avoided to assign the majority of vulnerabilities to a single group when ownership is ambiguous. If GitLab engineers are needed, escalate to engineering management.
- Security can have the owning resolve group assist in investigation as subject matter experts, but security must be responsible for providing the priority/severity scoring, and determining the CVSS.
- For risk adjustment deviations that require manual evaluation, the creation of risk adjustment and justification should be the outcome of triage, and is the responsibility of the Security team. Development teams of the respective subject matter can be reached to provide GitLab implementation specifics.
- The Security team is responsible for automating scanner reports triaging and Deviation Request logging.
- Security team is responsible to triage the detected vulnerabilities and make their best guess to assign to a development group.
- Resolve
- The development groups who introduce or consume the dependency of concern (e.g. gems, libs, base images, etc.) are responsible for resolving vulnerabilities detected against the dependency.
- For business selected vendors that provide base images (RHEL's UBI8 for example), we need to wait for their patches, or need to log Deviation Request as viable resolutions. The responsibility for automating as much of this as possible is with the Vulnerability Management team.
- The assigned development group can redirect issues if the initial assignment was inaccurate.