Skip to content

Latest commit

 

History

History
18 lines (13 loc) · 1.76 KB

security_standards.md

File metadata and controls

18 lines (13 loc) · 1.76 KB

Software Must Meet Basic Security Standards

This is one of the tier 1 standards. See full list on the main page.

Short description

While certain applications require a more focused analysis of their security vulnerabilities, all software products should follow the most basic security standards.

Importance of this standard

Basic security standards need to be met in order to protect unintended information from being released which can lead to vulnerabilities in the software, or even STScI as a whole.

Options for this standard

Different tools will have different possibilities for security vulnerabilities, so it is up to the code owners to determine what the most relevant problems are. All tools should follow the STScI Style Guide's list of information to never commit. Software tools deemed to have more risks can also look into the OWASP Top 10 list of security risks and how to prevent them.

How to apply this standard

To meet the most basic security requirement of not committing sensitive information, you will need to:

  • Check the repository for any sensitive information that may have been committed. This includes usernames, passwords, tokens, etc.
  • If any sensitive information is found, remove it from the repository and immediately invalidate any tokens/passwords as they are no longer secure.
  • Consider cleaning out the git history to remove commits containing this sensitive information (e.g. changelogs). See GitHub's documentation on removing secure information for details on this process.