Skip to content

Audit event logging for DAST config changes

Problem to solve

As the person responsible for the security scanning of my websites, I want to know when changes have been made to the DAST scan and site configs, so that I can know who made what changes.

Intended users

User experience goal

The user should be able to go to the "Security & Compliance" => "Audit Events" section of their project and see anything that has been logged there, specifically, any changes to the DAST config profiles.

Proposal

The events that should be logged are:

  • Creation of a new Scanner or Site profile
    • The "Action" should state that a new [Scanner/Site] profile was created
    • The "Target" should state the name of the new profile
  • Deletion of a Scanner or Site profile
    • The "Action" should state that a [Scanner/Site] profile was deleted
    • The "Target" should state the name of the deleted profile
  • Editing of a Scanner or Site profile
    • The "Action" should state that a [Scanner/Site] profile was edited
      • (Stretch) The Action should state what fields were changed and what the new selected options are
    • The "Target" should state the name of the edited profile
  • Creation of a saved on-demand DAST test
    • The "Action" should state that a new on-demand DAST test was created
    • The "Target" should state the name of the new test
  • Deletion of a saved on-demand DAST test
    • The "Action" should state that an on-demand DAST test was deleted
    • The "Target" should state the name of the deleted test
  • Editing of a saved on-demand DAST test
    • The "Action" should state that an on-demand DAST test was edited
      • (Stretch) The Action should state what was changed (profile/branch/name) and what the new value is
    • The "Target" should state the name of the on-demand DAST test

Further details

Maintainer and owner roles should have access to see the audit events.

Documentation

  • Update of the DAST docs to notify that all changes to the config profiles will be logged to the project Audit Event log.
  • Update of docs describing the Audit event log to include the new changes that will be logged there.

Execution

Use AuditEventService#security_event to persist events for the DastSiteProfile, DastScannerProfile, and Dast::Profile models. This will involve adding a method for each of the objects to AuditEventService that can handle :create, :update, and :destroy events. The AuditEventService#for_member method can serve as a guide on how to structure the new methods.

AuditEventService#for_changes might be worth using for the Stretch goal of including details on the changes made during :update events.

  • Use AuditEventService to log uses of DastScannerProfiles::CreateService, DastScannerProfiles::UpdateService, and DastScannerProfiles::DestroyService using the parameters defined in the Proposal
  • Use AuditEventService to log uses of DastSiteProfiles::CreateService, DastSiteProfiles::UpdateService, and DastSiteProfiles::DestroyService using the parameters defined in the Proposal
  • Use AuditEventService to log uses of Dast::Profiles::CreateService, Dast::Profiles::UpdateService, and Dast::Profiles::DestroyService using the parameters defined in the Proposal
  • Update the documentation as mentioned in Documentation
  • Stretch create one audit event for each field changed on the object, and specify the details using AuditEventService#for_changes so that users can see exactly what changed
  • Stretch ~"technical debt" if possible, move the changed DAST services into the AppSec::Dast namespace
Edited by Avielle Wolfe