Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compliance, vuln assessment, security policies and the like? #2145

Closed
ageis opened this issue Aug 18, 2017 · 4 comments
Closed

Compliance, vuln assessment, security policies and the like? #2145

ageis opened this issue Aug 18, 2017 · 4 comments

Comments

@ageis
Copy link
Contributor

ageis commented Aug 18, 2017
edited
Loading

Sorry for not using the template on this one... I just had a simple question about whether any of the news organizations, or anyone on your team, had been asked if you are compliant with any standards. There's a whole bunch, of course.... FIPS, SOC, PCI, FedRAMP, and on and on. I'd imagine some of these standards might apply to some of the larger media organizations you work with if they are engaged in certain activity (like holding onto PII, especially).... and so their IT department might eventually want SecureDrop servers to be certified like the rest of their stuff at some point and I won't be surprised if you're asked about it soon or have been already. I suppose it depends on how they manage hosting and what their business involves whether it would ever become an issue. I don't know how much news org IT/sec departments even need to think about such stuff. Maybe even very little.

And ironically, I can imagine there being some ridiculous standards would go directly against the model and security culture of SecureDrop and protecting source metadata.... You know, stuff like, "you must keep audit logs for 12 months or more"....

But anyway, if it does arise, there's stuff like:

Those I already knew about off the top of my head, even without having any experience on them, one of those I'm sure we mentioned way back when James was around.... just googling around, and cve-search is another tool that looks cool.

If you were to be subject to any such standards imposed from without, then I think the bundled osquery packs would probably get you the most bang for your buck.

When containers come into the picture ever then CoreOS Clair is really cool... Jessie Frazelle has a demo of it up at https://r.j3ss.co/... just click on the container in the list and you're shown how many vulnerable packages are in it 👍
@ghost
Copy link

ghost commented Aug 18, 2017

@ageis can I suggest opening a thread at https://forum.securedrop.club/ ? Looks like a good discussion will follow and indeed, it does not really fit the "issues" category @ github ;-)

@ageis
Copy link
Contributor Author

ageis commented Aug 18, 2017

@dachary Sure, you can close the one here and I'll re-open there if you feel that's appropriate.

@ghost
Copy link

ghost commented Aug 18, 2017

@ageis I opened a thread at https://forum.securedrop.club/t/compliance-vuln-assessment-security-policies-and-the-like and sent you an invite :-)

@ghost ghost closed this as completed Aug 18, 2017
This was referenced Aug 19, 2017
Open
Open
@ageis
Copy link
Contributor Author

ageis commented Feb 22, 2020

Threat intelligence stuff: https://www.misp-project.org/

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ageis