Vibrant continues to invest in securing service delivery and proteching data critical to help seekers. Meanwhile, we are learning again that we write software.
This repository contains Vibrant's development of system security requirements. It is maintained by the InfoSec team.
- architecture
- authentication
- session management
- access control
- validation, sanitation, & encoding
- cryptography
- error logging
- data protection
- commumnications
- malicious code
- business logic
- files resources
- api
- configuration management
Vibrant continues to awaken to concepts of security, and the control of IT systems - and though we have started to invest (time, money, and person-power) in security, we have a long way to go.
So, these requirements should match Vibrant's consensus on achievable state-of-the-art. If you see anything that doesn't pass the Vibrant smell test, do reach out!
Important
It is very unlikely we meet the level 1 requirements considered 'adequate' first steps by NIST, much less level 2 or 3.
This set of requirements should be achievable. Consider them as possible release standards sometime in the near future and comment accordingly.
As we understand need and appetite, we will work with you (dear reader) to craft SMART requirements for your specific system development needs. (together 💌)
InfoSec chose the latest release of OWASP Application Security Verification Standard as the inspiration for Vibrant's security requirements, for a variety of reasons. Here are a few:
- it maps directly to NIST guidelines
- it offers tiers of requirements, allowing for variation in maturity and risk management
- it represents consensus best-practice within a global application security community