Comments (5)
We'd need to talk more about how this would work, since the hard thing here is where the decryption key lives --- obviously not in the same database that it's protecting. Is the key specific to an org? How do we securely grant site users and GovReady administrative staff access to it?
Est: A few days to a week, depending on the details, and there would likely be some technical debt until a security expert could look over the implementation.
from govready-q.
Some possibilities for how to securely, and possibly ephemerally, store answers like credentials for other services (like Jira):
a) Answer is stored In the database and encrypted with a key known and entered by the user, e.g. possibly reusing the user's password at login (but not the hash of the password stored in the database, because then the key is stored in the same database as the encrypted content). But where is the key persisted so that the user doesn't have to enter it on each HTTP request?
b) Answer is stored In the database and encrypted with a key stored in a HTTP cookie, so that the key is not stored in our database and we can make the key expire quickly to make the stored value ephemeral (after expiry, the value can no longer be decrypted).
c) Answer is stored in the database session storage, so it would get purged shortly after a user's login session expires - at logout, or after a few weeks. The encryption key would be stored... somewhere else.
d) Answer is stored in a cookie specifically for holding ephemeral answers to questions, which would allow us to expire it sooner. But the cookie would need to be encrypted (for the user's protection) and signed (for ours), jacking up the size of the payload and limiting what we can put in the cookie.
e) Answer is stored In browser local storage so that the Q server doesn't actually see it until it needs it, and it would be sent via AJAX to Q only sometimes.
from govready-q.
This is a good task for the roadmap. We will do it as part of the work with Selection Pressure b/c it integrates with API endpoints.
We could also store and retrieve the secret via an API end-point, possibly in common with a "pop-up" variable.
Once we have an API-endpoint integration, we could target an endpoint that was responsible for storing secrets.
A "pop-up" variable would be a special variable that was collected and immediately used. The variable might even be collected by a special pop-up javascript (like an alert). The variable would be captured by that process, used immediately, and never kept.
from govready-q.
@jlyon @aschmoe Can you share with us a couple of links for documentation you used to encrypt the GovReady Dashboard database?
from govready-q.
Closing due to age.
from govready-q.
Related Issues (20)
- SSP for 800-171 appliance apps print out the wrong control_catalog[control.lower()]['family_id'] for 3.3.1 HOT 2
- Fix Enum references. Replace `.value` with `.name` and migrate data HOT 1
- Reproducing DevOps CI/CD Pipeline Example
- Lint issues in dockerfile_exec_\*.sh HOT 6
- Deploying with Docker link on DockerHub page is broken HOT 3
- Server Error 500 when assigning an External OSCAL Baseline to a Project HOT 1
- Server Error 500 when importing FedRAMP Rev4 Moderate Baseline (oscal version 1.0.0) Catalog HOT 4
- Attach discussions to other objects HOT 2
- Speed up performance of control select HOT 2
- Move catalogs and baselines into database HOT 2
- /usr/src/app/dev_env/docker/remote_interpreter/python_env.sh needs execute permissions in Docker container HOT 1
- Gracefully report registration email conflict HOT 1
- Failed to run developer’s environment HOT 3
- Unable to import OSCAL components HOT 3
- Error with pygithub in Docker HOT 2
- Importing OCAL 1.0.0 catalog causes Exception Type: KeyError at /controls/ HOT 1
- Upgrade to Selenium 4.2.0 to 4.3.0 and adjust deprecated find_element_by_XXX calls
- Importing FedRAMP component error: invalid component json
- Refactor Organization Defined Parameters
- will this project no longer be updated after the acquisition of RegScale ? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from govready-q.