Security 9 Review

[Marilina Crawn]

Ifthe project gets analyzed again, could you please let us know if the security review rating gets corrected? That would confirm that the problem is related with the real time update of measures when the hotspot was reviewed.

@knoxg If you have 100s of Hotspots to review on a single project very often, it probably means that we are raising too much. Can you share in a dedicated thread examples of Hotspots that are noisy and force you to review 100s of them?

What is a security review?

A security review is a collaborative process used to identify security-related issues, determine the level of risk associated with those issues, and make informed decisions about risk mitigation or acceptance.

Additional Information:

For additional information, to inquire about Service Manager mentoring, or for feedback on this toolkit, please contact Client Services and Security using the ITS Feedback form.

Effective October 1, 2024, DCSA will begin issuing security ratings using a refined scoring model. Until then, DCSA will continue to use the current security rating process outlined in the resources below. These refinements will only impact the rating component of the current security review process. To learn more about the refinements, visit the Future Rating Process tab.

If you have questions, please reach out to your assigned Industrial Security Representative.

Effective October 1, 2024, DCSA will begin issuing security ratings using a refined scoring model outlined in the resources below. Until then, DCSA will continue to use the current security rating process. These refinements will only impact the rating component of the current security review process. To learn more about the current process, visit the Current Resources tab.

If you have questions, please reach out to your assigned Industrial Security Representative.

The Quadrennial Homeland Security Review (QHSR) is the Department of Homeland Security's capstone strategy document, which is updated every four years as required by law. The report offers recommendations on long-term strategy and priorities for homeland security. Each QHSR cycle entails an extensive three-year-long review process before the report is finalized and submitted to Congress. The Department strives to make the QHSR as thorough and inclusive as possible by working with a wide range of stakeholders inside and outside government, who share responsibility for safeguarding the Homeland. The QHSR will provide the strategic foundation to ensure that the Department is ready to meet future challenges.

Released in 2023, the third Quadrennial Homeland Security Review (QHSR) assesses the threats and challenges the Department faces today and into the future and lays out the approaches DHS and the homeland security enterprise are adopting to carry out its missions. The QHSR reaffirms the five enduring homeland security missions -- and adds a new sixth mission: Combat Crimes of Exploitation and Protect Victims. Overall, this strategic guidance and updated mission framework will inform existing Departmental processes for translating priorities into resources, including the DHS Strategic Plan and the annual budget development process.

Please note: Due to an increased number of submissions, book-length manuscript reviews are currently taking several months. We apologize for this inconvenience. Please ensure adequate time for a prepublication security and policy review prior to committing to any publishing deadlines or sending the manuscript to a person or organization for endorsement.

Please note that this office can only accept submissions via email, paper copy, or on CD/DVD. Flash, thumb, and jump drives are not accepted and documents submitted on these devices will not be processed.

Requestors from within DoD must submit using a completed DD1910 signed by someone in the author's leadership chain. DOPSR is unable to accept DD1910s signed by the author. Anyone in the author's leadership chain authorized to sign general correspondence can sign the DD1910. Former DoD members or DoD members writing outside their DoD duties, may submit using a cover letter or email message that includes the author's contact information and the publication plan, if any, for the document. Documents for Congress must be submitted using the DD1587 or DD1790. Private sector corporations must submit items for review via cover letter.

It is important to engage the Information Security team early in the project review process as risk increases exponentially when potential security issues are considered after the project has gone live.

This engagement does not constitute the initiation of the actual formal Security Review; however, the initial involvement of the Information Security Team in the planning and development phase of the application/project, provides valuable resource to determine potential risk exposures and assist in design basics to obviate those exposures. Additionally, it notifies the Information Security Team of the planned application/project, so that related assets, data and platforms are identified and can be protected from cybersecurity threats at the enterprise level.

The Information Security Team liaison brings a wealth of current cybersecurity information and best practice to the planning and development phase, which can substantially reduce risk and potentially reduce costs which might otherwise be incurred to address risk after a project/application goes into production.

Once an application/project reaches the test and implementation phase, a comprehensive Security Review should be requested so that all residual risk can be determined and suitable compensating controls implemented. In certain instances, the Application/Project Owner can accept this residual risk with concurrence from the Chief Information Security Officer.

Once potential risks have been identified, a Security Review Assessment form will be completed and distributed to the person who requested the review. Any identified risks that can not be satisfactorily remediated or mitigated will be brought to the attention of the business sponsors, owners and executives requesting the given application/project and they will be required to sign-off signifying that they are aware of and accept said risk(s).

An ISV customer of mine has a Managed Package in the AppExchange for many years now. He recently was asked to resubmit for Security Review and is now wondering what to expect and how to best plan and prepare that work.

I've gone through a resubmission last year. To be fair, the process was fairly straightforward (exactly the same as a normal submission) - but that's because I kept the resubmission in mind after my initial release.

Reviewing old code that hasn't been touched in years. It's easy to prepare when you remember the entire application in your head - less so when you wrote something 2 years ago and never looked at it since.

Definitely less work than my initial submission. I relied primarily on thecode scanner report to focus my attention. With that being said, there were some issues that I detected (that the review team did not, btw) that were not found in the code scanner.

I only submitted an architectural document, without a user guide. I did provide testing instructions in the submission though, and hints and tips in the app data (click me, drag me, right-click me, etc).

Their scans are detailed. If you have anything on Heroku, you MUST use a CDN to comply with all the requirements. It costs additional money per month, but that's the only way I was able to comply with all their security requirements. I failed one review because I gave a different error message when trying to log in with a wrong password as opposed to with a username that doesn't exist. This, they rightly said, can be used to farm email addresses.

In other words: if a full codebase was developed by your team you should take responsibility for the output, but if the codebase has been created by another vendor you should firstly clarify expectations that this process may be painful and time-consuming (and use it as an opportunity to reduce technical debt by your team, you can request Salesforce for extra time before making the resubmission)

Use of Checkmarx, PMD and Zap (for mobile app REST API scanning) during standard SDLC will make resubmissions smoother. We even had to provide a copy of our mobile app source, which grated for me, but you do what you have to.

NB: you have 60 days to resubmit and ideally pass. If you have to wait for office hours you need to communicate this via the case raised for resubmission in order to avoid having your AppExchange listing set private by Salesforce. Do not delay and do not forget to request extension of the deadline, otherwise you can find your listing disappears!

To protect Purdue University IT Resources and Information Assets, all new purchases of IT software, applications, or cloud services for use by the University must undergo a security review prior to purchase to identify any risks that software or service presents to these resources. If the product or service will store, process, or transmit data classified by Purdue as Sensitive or Restricted or will integrate with existing University systems, security controls must be in place to safeguard the data. The security review identifies security controls that have been implemented by the vendor software or services. Implementation readiness includes the implementation of recommendations made in the review report, as well as, security services for vulnerability management, endpoint protection, authentication, and logging. Requirements relative to security policy, standards, or data handling that are not met require the submission of a Security Policy/Procedures Exception request. Purchasers of cloud computing services should also be aware of the Cloud Computing Consumer Guidelines, which provide guidance on operational and contractual requirements.

3a8082e126