You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 9, 2020. It is now read-only.
Clean tests from a static testing SaaS (such as npm audit) and from OWASP ZAP, along with documentation explaining any false positives
The npm audit tool is a very necessary security check and it does kind of seem like static testing. However npm audit does not seem like a sufficient tool static testing tool. Similarly, ZAP is great but I believe it requires a skilled individual using it to be effective. I think there are maybe 3 levels of tools to consider:
@greggles, the security section is one entry in a sample contract artifact — the Quality Assurance Surveillance Plan — to actually be incorporated into an RFP. We cannot advise people to include the "Before You Ship" website into an RFP. The security component of the QASP is not intended to serve as a comprehensive security guide (we'd probably advise NIST 800-53 for that), but is simply an example of the sort of requirements that might be included within the security requirements within the QASP.
I came to this document because it's in a potential set of recommendations to an organization. I read this section and felt concerned that the people receiving it as a recommendation would look at those 2 very specific tools, adopt them, and think they were done. Maybe that's a misplaced concern.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The security section currently reads:
The npm audit tool is a very necessary security check and it does kind of seem like static testing. However npm audit does not seem like a sufficient tool static testing tool. Similarly, ZAP is great but I believe it requires a skilled individual using it to be effective. I think there are maybe 3 levels of tools to consider:
I'd be happy to try to put together a PR if you agree.
The text was updated successfully, but these errors were encountered: