[Platformone] [EXT] Re: IATT Way Ahead
Miller, Timothy J.
tmiller at mitre.org
Thu Dec 19 14:56:20 UTC 2019
Do we have tooling to do deltas between OVAL results files? This would be nice to have.
-- T
On 12/18/19, 20:42, "Lastrilla, Jet" <jlastrilla at mitre.org> wrote:
Austen,
It was exciting to see the progress and all the collaboration between the platform and app teams. One of the things we mentioned to Nic is the current RMf requires scans in the production environment. Taylor needs to
rescan the apps while inside the UP prod VPc to show that there is no change between stages of build. This was the proof of DSOP that I told Nic we needed.
We still need to work on the ingress waitlisting from DODIN. I don’t have a tag up scheduled, but I’ll put one in the calendar for tomorrow afternoon. I will be out of pocket in the afternoon for a preschool play. Tina
would kill me if I missed it.
Get
Outlook for iOS <https://aka.ms/o0ukef>
________________________________________
From: BRYAN, AUSTEN R Capt USAF AFMC AFLCMC/HNCP <austen.bryan.1 at us.af.mil>
Sent: Wednesday, December 18, 2019 8:37 PM
To: Lastrilla, Jet; Miller, Timothy J.; DIROCCO, ROGER E GG-13 USAF AFMC ESC/AFLCMC/HNCP; Kevin O'Donnell; platformONE at redhat.com
Cc: Tim Gast; Bubb, Mike; TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC; tj.zimmerman at braingu.com; LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP; Blade, Eric D [US] (MS); RAMIREZ, JOSE A CTR USAF AFMC AFLCMC/HNCP; Leonard, Michael C.; Feiglstok,
Colleen M [US] (MS); REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP
Subject: RE: [Platformone] [EXT] Re: IATT Way Ahead
Jet, Thanks for the quick rundown. Really excited by the teams progress. We need to capture the goodness in this coordination from the past few days and instutionalize it. Not sure when, where and who yet but we need to track that too. In #2, did you mean Taylor
scan the apps again since the latest round of code changes and builds? Is the task complete, or is it at a later date, to whitelist DODIN IP addresses? Are we tagging up again tomorrow? If so, please put something on the calendar for end of day-ish. Lastly,
we should track an open action for a scheduled meeting with Ms K. Nic and I continue to reach out. -Austen -----Original Message----- From: platformone-bounces at redhat.com <�platformone-bounces at redhat.com> On Behalf Of Lastrilla, Jet Sent: Wednesday, December
18, 2019 3:32 PM To: Miller, Timothy J. <�tmiller at mitre.org>; DIROCCO, ROGER E GG-13 USAF AFMC ESC/AFLCMC/HNCP <�roger.dirocco.4 at us.af.mil>; Kevin O'Donnell <�kodonnel at redhat.com>; platformONE at redhat.com Cc: Tim Gast <�tg at braingu.com>; Bubb, Mike <�mbubb at mitre.org>;
TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC <�elijah.tramble.1 at us.af.mil>; tj.zimmerman at braingu.com; LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP <�richard.lopezdeuralde at us.af.mil>; Blade, Eric D [US] (MS) <�Eric.Blade at ngc.com>; RAMIREZ, JOSE A CTR
USAF AFMC AFLCMC/HNCP <�jose.ramirez.50.ctr at us.af.mil>; Leonard, Michael C. <�leonardm at mitre.org>; Feiglstok, Colleen M [US] (MS) <�Colleen.Feiglstok at ngc.com>; REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP <�melissa.reinhardt.2 at us.af.mil> Subject: [Non-DoD
Source] Re: [Platformone] [EXT] Re: IATT Way Ahead All: Great job to the collective team on getting this done together! Here are the actions, in order, that need to be completed: 1. Complete AAM build in UP Prod. Blocker being worked by RH and Gu 2. Colleen
scans UP Prod VPC in conjunction with Taylor scanning the VPC 3. Identify delta between testing provided earlier this week and new environment scans 4. Update external interface diagram per Nic's request (no dependencies on others on this list) 5. Send updated
IATT package to Nic/Lauren. Let me know if you have any questions. R/Jet 619-508-5888 -----Original Message----- From: Miller, Timothy J. <�tmiller at mitre.org> Sent: Wednesday, December 18, 2019 2:41 PM To: DIROCCO, ROGER E GG-13 USAF AFMC ESC/AFLCMC/HNCP <�roger.dirocco.4 at us.af.mil>;
Lastrilla, Jet <�jlastrilla at mitre.org>; Kevin O'Donnell <�kodonnel at redhat.com>; platformONE at redhat.com Cc: Tim Gast <�tg at braingu.com>; Bubb, Mike <�mbubb at mitre.org>; TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC <�elijah.tramble.1 at us.af.mil>; tj.zimmerman at braingu.com;
LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP <�richard.lopezdeuralde at us.af.mil>; Blade, Eric D [US] (MS) <�Eric.Blade at ngc.com>; RAMIREZ, JOSE A CTR USAF AFMC AFLCMC/HNCP <�jose.ramirez.50.ctr at us.af.mil>; Leonard, Michael C. <�leonardm at mitre.org>;
Feiglstok, Colleen M [US] (MS) <�Colleen.Feiglstok at ngc.com>; REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP <�melissa.reinhardt.2 at us.af.mil> Subject: Re: [Platformone] [EXT] Re: IATT Way Ahead > " Is Twistlock in runtime in Prod-B (and what about current
Prod)? If > not, then it needs to be. (recommend for RH P1 Team) Twistlock is deployed in up-prod w/ runtime defense enabled. There's no custom content and it's still in learning mode, but running containers are being scanned and runtime events are being generated.
The compliance report is so-so but the vulnerability reports are fugly. I'm waiting on access to up-prod-b to verify, but I expect it's the same. > " DCAR S3 Bucket � Validate Proxy in place and no direct external > access (recommend for Taylor� s DSOP Team)
Cybersec needs to be part of this. The DSOP S3 bucket may be ACL'd but it is reachable by anything in the peered VPCs--production-vpc, staging-up-vpc, dev-up-vpc, and up-prod-vpc. > " Need Encryption on open Ports (recommend for RH P1 Team to look > into)
There's nothing answering on 80 AFAICT, but having 80 open is useful for TLS redirect. If I can get cert-manager off the ground (still working w/ AF PKI SPO on this), 80 is required for the ACME HTTP01 challenge. > " Need better diagram showing both internal
and external > ports/protocols right on the diagram (no IPs or become Classified > Document) with encryption, and what� s internal/external to AWS > account, VPC, inside/outside cluster, what� s public facing and what� s > not, application; for IATT focus
on what� s outside the cluster� what > goes in/out of cluster boundary and identify/define what goes in/out > (which team will take > lead?) I might be able to do much of this w/ cloudmapper, but the result is (a) a freakin' eyechart (I need to work on the
filtering feature), and (b) intended to be interactive. I might be able to generate a standalone version I can just host from S3. However, there's no way to do this without IP addresses. AWS internal addresses are encoded into the internal DNS name, which
has to be reported or nothing makes sense. > " Action Item: Taylor send DSOP scans of apps to Nic, focus on the > delta (the findings not covered by UBI) Twistlock can report CVEs by layer, but IDK about compliance. That might be a useful source. -- T _______________________________________________
platformONE mailing list platformONE at redhat.com https://www.redhat.com/mailman/listinfo/platformone
More information about the platformONE
mailing list