Project Team To-Dos

Overview

Product teams must complete prerequisite tasks to request and be issued a CtF. Follow these steps to complete those prerequisites.

1. Add Your Code to the Project Repository

Add your code to the GitLab repository for your project.

2. Attend the Security Onboarding Meeting

3. Assess Your Team’s Evaluation Readiness

a. Complete Required Documents

The items below are in your application's project in the Cyber Applications Team > Applications group https://code.il2.dso.mil/platform-one/cyberapplicationsteam/applications/<yourapplication>:

• POA
• SSP
• PIA DD2930
• Project architecture diagram
• List of targeted pipelines and descriptions

Note A: All applications must be integrated with P1 Keycloak, and this needs to be reflected in the architecture diagram to receive a CtF.

Note B: Confirm that the architecture diagram is focusing on the component being validated (i.e., grey out the other components). A good architecture diagram should give us a clear overview of a system. At a single glance, we can see which building blocks are being used, how they interlink, and how data flows between them. All ports, protocols, and HTTP methods should be indicated for all communications/interfaces. User roles should be indicated and described.

Note C: Documentation for Components/Microservices should reflect information consistently across their respective POA, SSP, and architectural diagrams. In addition, that information should be consistent with what was identified in the SD Elements surveys. Over the course of development, if the architecture changes, the SDE survey should be modified as well.

Note D: PIA must be completed and signed by the local command-level Privacy Office. This is a requirement even if the app does not process/store PII.

Note E: Include a basic text document with a list of targeted pipeline URLs and a brief description of each pipeline with the function it performs.

b. Review GitLab Pipeline: https://code.il2.dso.mil/

• [ ] GREEN Pipeline

  1. Search for the name of the application in question under projects.

  2. Select application (Listed as [Business Unit name]/[Project Name]).

  3. Select CI/CD >“Pipelines” on the left sidebar.

  4. Verify the most current results of the pipeline are all green and have “passed."

     • Note A: If Trufflehog has a yellow "!", please verify that there are no secrets or passwords being committed. This can be done by clicking the "trufflehog" button in the pipeline, going to the right under "Job artifacts", and clicking "Download". Once the download is complete, open the artifact using an editor such as Notepad++ and verify that no passwords/secrets were found.
     • Note B: E2E tests - We know of the current issues with E2E (Cypress) pipelines in staging and are working on a solution, but don't have it completed yet. In the meantime, we've set staging to allow failures. To release a version of your product, please complete the following:

  5. Perform manual testing, independent of your product team, confirming passing tests.

     • You can reach out to someone on any team to run the tests.
     • You can submit a General Cyber Request with the following request: "Please verify end to end stage." If you choose this option, please provide explicit instructions for executing Cypress.

  6. Provide a screen capture of the Cypress results and a timestamp.

  7. Save this screen capture somewhere safe (repository, wiki, Confluence, etc.) and associate it with the commit hash of the project.

  8. Release and be happy!

c. Review Project Scans

GitLab SAST Static Analysis

1. Log in to GitLab and navigate to your project.

2. Select Security & Compliance → Vulnerability Report from the left sidebar.

3. In the filters, set Report Type to SAST.

4. Ensure filters include all severities and statuses (including dismissed or resolved findings, if applicable).

5. Review the vulnerability list and verify there are no Critical, High, or Medium findings.

6. (If needed) Navigate to CI/CD → Pipelines, open the latest successful pipeline, and review the SAST job to confirm the scan completed successfully.

7. Compare the number of scanned lines of code reported in the SAST job artifacts (if available) to the scanned lines of code reported in SonarQube.

---

SonarQube Scan & Code Coverage

1. Type the project name and select the project.

2. Scroll down to Coverage and ensure the coverage is above 80%.

3. Next, select Issues at the top of the page.

4. On the left side panel under Severity, ensure that there are no Blocker, Critical, or Major issues.

5. On the left side panel under Resolution select False Positive.

6. Verify with the App team/Platform team that the “False Positive” is legitimate.

---

SonarQube Dependency Scans

1. Type the project name and select the project with “Dependencies” appended to the application name.

2. Next, select Issues at the top of the page.

3. On the left side panel under Severity, ensure that there are no Blocker, Critical, or Major issues.

4. On the left side panel under Resolution select False Positive.

5. Verify with the App team/Platform team that the “False Positive” is legitimate.

6. Provide comments on all "Fixed" items, indicating how they were fixed.

d. Complete SD Elements Tasks

1. Complete and comment on all SD Elements tasks (Show only NIST tasks should be checked).

   • Note A: Cybersecurity has culled the tasks in SD Elements and identified those that the pipeline or platform handles. If a task has a "platform" or "pipeline" tag on it that does not have the ability to be removed (an 'x' doesn't appear when you hover), the product team does not have to provide an answer. There will be an "official answer" in the "how-tos."

   • Note B: Complete means the product team has reviewed the task and the component is compliant with the requirement. Comments for tasks should include how the requirement is met/implemented. There are associated tests in the "testing" tab for many of the tasks that have you verify that the component is compliant. The testing task comments should document how the product team tested that it was done (there are how-tos in many of the testing tasks) and the subsequent result of the test. Don't be generic with comments.

If all items above are complete, notify the Cybersecurity team in the Product Team Path to CtF Mattermost Channel that the application is ready for Cybersecurity team CtF Review.

4. Request and Complete CtF Review

1. Provide the Cybersecurity team tester with login/passwords and URLs for the front-end and any API parameters used for back-end testing. The Cybersecurity team tester will validate some of the testing answers provided by the product team using non-malicious tests.

2. Ensure any tasks returned by Cybersecurity with the "re-visit" tag are addressed.

3. Provide a risk mitigation strategy/burn-down plan for any POA&M'd vulnerabilities or SDE tasks.

4. Finalize CtF review with project-assigned assessor.

5. Work with the Cybersecurity team to schedule a CtF meeting with the CISO.

After Receiving a Signed CtF

Create a Party Bus help desk ticket to update your pipeline configuration.

• If this is your first CtF, or the first CtF for an Auxiliary Deploy, please create a Production Deploy ticket .

• If this is a CtF renewal or extension, please create a CtF Renewal Pipeline Update ticket .

• If you have questions about this message, or find the links inoperable, please create a General Support ticket to receive assistance from the MDO team.

• If you are unable to reach any of the provided links, other options are:

  • Ask for help in your COT ticket or Mattermost CtF channel with the CAT.
  • Reach out to us on IL2 MatterMost Party Bus Value Stream Support Channel .