slackhq/goSDL slackhq/goSDL

  • Stars
    star
    516
  • Rank 82,457 (Top 2 %)
  • Language
    PHP
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
slackhq/goSDL
github

slackhq

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

goSDL

goSDL

About

goSDL is a web application tool that serves as a self-service entry point for following a Security Development Lifecycle checklist in a software development project. This tool collects relevant information about the feature, determines the risk rating, and generates the appropriate security requirements. The tool tailors the checklist to the developers’ specific needs, without providing unnecessary unrelated security requirements. Security experts can establish custom security guidance and requirements as checklist items for all developers. This checklist is used as a guide and reference for building secure software. This encourages a security mindset among developers when working on a project and can be used to easily track the completion of security goals for that project.

Goals:

  • Self service : Provide self service tool for Project Lead or Developer to get a Security checklist related to their project.
  • Specific : Project Lead or Developer can pick and choose specific components related to their projects. The tool will tailor the checklist to their specific needs without providing unnecessary unrelated checklist items.
  • Standardize : Security team can create a standardized risk assessment and checklist related items throughout the organization.
  • Pluggable and customized components : JSON base components that are easy to modify and update.

General Usage

  1. At the middle or near the end of completion of a project, have a technical person complete the SDL form.

  2. After the initial risk assessment is completed, please complete the Component checklist on the next page. The person filling out this form should check anything that is relevant to the code / feature (language-wise and context-wise) and uncheck anything that they know will always be irrelevant to the project. It's ok to check more things than you need, as there's a way to "uncheck" them later.

  3. After the form is submitted there will be a JIRA ticket or Trello board created with the checklist items.

  4. The goal of the SDL is to have everything checked off. If there is an issue with one of the items, please feel free to ask the Security team for advice and steps on how to move forward. Ideally, a fully-completed SDL checklist will expedite the security review requirement.

Using Trello

Trello is a web-based project management application that has powerful checklist support to enable you to organize your projects.

To use Trello as part of this tool, enable the Trello setting in the include/.env. You also need to generate your Trello application key from https://trello.com/app-key. When using Trello, you don't need to specify any other setting in this file.

TRELLO=true
TRELLO_API_KEY=xxxxxxxxxxxxxx

When the web page loads, it will require the user to authorize the app to get their access token to Trello. The output of this tool will create a link to a Trello board that contains security checklist items that can be used by the development team to follow the security guidelines.

Using JIRA Enterprise

Currently, this tool only supports JIRA Enterprise (on Premise) and doesn't support JIRA Cloud. This is because we need the support from scriptrunner to create the additional REST API endpoint used to populate the checklist plugin. There are some Add-on dependencies required in your JIRA before using this tool:

  1. ScriptRunner for Jira Required to create an additional JIRA API to update custom checklist in a ticket.
  2. Checklist for Jira Enables the checklist custom field in JIRA tickets.

Settings:

  1. Add a custom REST API in scriptrunner.

    • Go to "Administration" -> "Script Runner" -> "Custom Endpoint"
    • Fill out the inline script with the script in scriptrunner/Scriptrunner_REST_API.groovy

  2. Create the checklist custom field for each individual SDL component. These custom fields will be used as a placeholder template for the security checklist item.

    • Go to "Administration" -> "Issue" -> "Custom Fields" -> "add custom field"
    • Enter "SDL General" as the name. Configure the checklist custom field to not have a default option. You can also associate the new checklist custom field with a specific issue type.
    • Also note your custom field id when configuring the new custom field. You can get the id # from the URL (e.g https://your_domain.com/secure/admin/ConfigureCustomField!default.jspa?customFieldId=11909). The custom field id on this sample is "customfield_11909". This value is required when setting the .env.
    • Later you need to update your JIRA screen to include this new checklist custom field. Please reach out to your JIRA adminstrator to get more information on how to setup your project with custom checklist.

  3. After setting your project, you need to set the .env file. Sample file:

    JIRA_USERNAME=username
JIRA_PASSWORD=password

JIRA_PROJECT=PRODSEC
JIRA_URL="https://your_domain.com"

JIRA_GENERAL_FIELD=customfield_111
JIRA_LANGUAGE_FIELD=customfield_112
JIRA_NATIVE_FIELD=customfield_113
JIRA_PARSING_FIELD=customfield_114
JIRA_WEB_FIELD=customfield_115
JIRA_THRIDPARTY_FIELD=customfield_116
JIRA_LEGAL_FIELD=customfield_117
JIRA_QA_FIELD=customfield_118

    Description:

    • JIRA_USERNAME : username of you jira account. Highly recomended to use a service account in your jira

    • JIRA_PASSWORD : your jira account password

    • JIRA_PROJECT : your JIRA project key (e.g. PRODSEC)

    • JIRA_URL : your JIRA enterprise API (e.g. "JIRA_URL="https://your_domain.com)

    • JIRA_GENERAL_FIEL : checklist custom field for SDL General (e.g. customfield_11909)

    • JIRA_LANGUAGE_FIELD : checklist custom field for SDL Language

    • JIRA_NATIVE_FIELD : checklist custom field for SDL Native Clients

    • JIRA_PARSING_FIELD : checklist custom field for SDL Parsing

    • JIRA_WEB_FIELD : checklist custom field for SDL Web

    • JIRA_THRIDPARTY_FIELD : checklist custom field for SDL Third Party and External

    • JIRA_LEGAL_FIELD : checklist custom field for SDL Legal & Policy

    • JIRA_QA_FIELD : checklist custom field for SDL QA

Usage

  1. git clone [email protected]:slackhq/goSDL.git

  2. composer install

  3. cp include/env-sample include/.env then modify the .env setting to fit with your enviroment.

    TRELLO=true
TRELLO_API_KEY=

JIRA_USERNAME=
JIRA_PASSWORD=

JIRA_PROJECT=
JIRA_URL=

JIRA_GENERAL_FIELD=
JIRA_LANGUAGE_FIELD=
JIRA_NATIVE_FIELD=
JIRA_PARSING_FIELD=
JIRA_WEB_FIELD=
JIRA_THRIDPARTY_FIELD=
JIRA_LEGAL_FIELD=
JIRA_QA_FIELD=

  4. cd www

  5. php -S localhost:8000

  6. Visit http://localhost:8000/sdl.php

Usage with docker

  1. Build locally: docker build -t gosdl .

  2. Run it: docker run -ti --rm --env-file <your dotenv> -p 8080:8080 gosdl

  3. Visit http://localhost:8000/sdl.php

Customize the checklist contents

Follow this guide to understand the structures of the SDL contents.

More Repositories

1

nebula

A scalable overlay networking tool with a focus on performance, simplicity and security
Go
13,646
star
2

SlackTextViewController

⛔️**DEPRECATED** ⛔️ A drop-in UIViewController subclass with a growing text input view and other useful messaging features
Objective-C
8,332
star
3

PanModal

An elegant and highly customizable presentation API for constructing bottom sheet modals on iOS.
Swift
3,595
star
4

go-audit

go-audit is an alternative to the auditd daemon that ships with many distros
Go
1,541
star
5

circuit

⚡️ A Compose-driven architecture for Kotlin and Android applications.
Kotlin
1,250
star
6

EitherNet

A pluggable sealed API result type for modeling Retrofit responses.
Kotlin
730
star
7

slack-api-docs

API Docs for Slack.com
427
star
8

slack-gradle-plugin

Gradle and IntelliJ build tooling used in Slack's Android repo
Kotlin
418
star
9

compose-lints

Lint checks to aid with a healthy adoption of Compose
Kotlin
349
star
10

keeper

A Gradle plugin that infers Proguard/R8 keep rules for androidTest sources.
Kotlin
248
star
11

slack-lints

A collection of custom Android/Kotlin lint checks we use in our Android and Kotlin code bases at Slack.
Kotlin
207
star
12

magic-cli

Ruby
196
star
13

astra

Astra is a cloud-native search and analytics engine for log, trace, and audit data
Java
189
star
14

simple-kubernetes-webhook

This project is aimed at illustrating how to build a fully functioning kubernetes admission webhook in the simplest way possible.
Go
170
star
15

csp-html-webpack-plugin

A plugin which, when combined with HTMLWebpackPlugin, adds CSP tags to the HTML output.
JavaScript
158
star
16

hack-sql-fake

A library for testing database driven code in Hack
Hack
75
star
17

hakana

Another typechecker for Hack, built by Slack
Rust
70
star
18

vscode-hack

Hack language & HHVM debugger support for Visual Studio Code
TypeScript
70
star
19

gsuite-oauth-third-party-app-report

Start enforcing G Suite third-party apps via OAuth
JavaScript
54
star
20

backend-interview-prep-questions

A few questions & data to help you prepare for the Slack HQ backend interview
PLpgSQL
45
star
21

moshi-gson-interop

An interop tool for safely mixing Moshi and Gson models in JSON serialization.
Kotlin
43
star
22

kotlin-cli-util

Kotlin CLI utilities, mostly intended for use with Clikt
Kotlin
33
star
23

tree-sitter-hack

Hack grammar for tree-sitter
JavaScript
28
star
24

hack-json-schema

Generate Hack JSON Schema validators based on a JSON Schema.
Hack
27
star
25

deanimator

Go package that can detect animated images and "deanimate" them by rendering just the first frame as a static image.
Go
24
star
26

es-query-simple

A tiny command line utility to query elasticsearch. "
Python
23
star
27

auto-value-kotlin

An AutoValue extension that generates binary and source compatible equivalent Kotlin data classes of AutoValue models.
Kotlin
23
star
28

go-rsyslog-pstats

Parses and forwards rsyslog process stats to a local statsite, statsd, or wire protocol compatible service.
Go
21
star
29

tiny-thumb

Novel, efficient, and practical image compression with visually appealing results. 🤏 ✨
Go
14
star
30

backend-interview-prerequisites

A project to ensure that your backend onsite interview at Slack runs smoothly.
Go
11
star
31

sqlite-go-connect

A simple go app that connects to a sqlite3 database
Go
11
star
32

sqlite-python-connect

Short bit of code to connect to a sqlite db and run a query in python
Python
10
star
33

hack-graphql

Playground for a hack graphql server
Hack
8
star
34

protoc-gen-ts

A Typescript Protocol Buffer Implementation from the Future ✨
TypeScript
8
star
35

htmlsanitizer-hack

A port of the PHP HTML Purifier originally developed by Edward Z. Yang into Hacklang
Hack
7
star
36

sqlite-java-connect

This is a minimal repo project that connects to a sqlite3 database and returns a single row.
Java
6
star
37

grpc-hack

A gRPC extension for HHVM
C++
4
star
38

slack-astra-app

Grafana plugin that adds support for Astra
TypeScript
4
star
39

sqlite-ruby-connect

Just a tiny lil something to connect to SQLite using Ruby
PLpgSQL
3
star
40

proto-hack

hacklang generator for protobuf
Hack
3
star
41

snow

Python
2
star
42

.github

1
star
43

go-metrics-prometheus

Go
1
star
44

quota

1
star