Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Perform ZAP scans with an authenticated session #1349

Closed
2 tasks
mogul opened this issue Jun 27, 2023 · 2 comments
Closed
2 tasks

Perform ZAP scans with an authenticated session #1349

mogul opened this issue Jun 27, 2023 · 2 comments

Comments

@mogul
Copy link
Contributor

mogul commented Jun 27, 2023
edited
Loading

At a glance

In order to ensure we are finding vulnerabilities only visible to authenticated users
as a FAC compliance-focused person
I want OWASP ZAP scans to be run in an authenticated session

Acceptance Criteria

We use DRY behavior-driven development wherever possible.

Scenario:

Given
when
...

then...
Beta Give feedback

Shepherd

  • Design shepherd:
  • Engineering shepherd:

Background

Security Considerations

Required per CM-4.

Sketch

Check out this example of how to do it

Tasks
Beta Give feedback
Process checklist

Sketch

  • Design designs all the things
  • Engineering engineers all the things

Definition of Done

Triage

If not likely to be important in the next quarter...

  • Archived from the board

Otherwise...

  • Has a clear story statement
  • Design or Engineering accepts that it belongs in their respective backlog

Design Backlog

  • Has clearly stated/testable acceptance criteria
  • Meets the design Definition of Ready [citation needed]
  • A design shepherd has been identified

Design In Progress

  • Meets the design Definition of Done [citation needed]

Design Review Needed

  • Necessary outside review/sign-off was provided

Design Done

  • Presented in a sprint review
  • Includes screenshots or references to artifacts

If no engineering is necessary

  • Tagged with the sprint where it was finished
  • Archived

Engineering Backlog

  • Has clearly stated/testable acceptance criteria
  • Has a sketch or list of tasks
  • Can reasonably be done in a few days (otherwise, split this up!)

Engineering Available

  • There's capacity in the In Progress column
  • An engineering shepherd has been identified

Engineering In Progress

If there's UI...

  • Screen reader - Listen to the experience with a screen reader extension, ensure the information presented in order
  • Keyboard navigation - Run through acceptance criteria with keyboard tabs, ensure it works.
  • Text scaling - Adjust viewport to 1280 pixels wide and zoom to 200%, ensure everything renders as expected. Document 400% zoom issues with USWDS if appropriate.

Engineering Blocked

  • Blocker removed/resolved

Engineering Review Needed

  • Outside review/sign-off was provided

Engineering Done

  • Presented in a sprint review
  • Includes screenshots or references to artifacts
  • Tagged with the sprint where it was finished
  • Archived
@danswick
Copy link
Contributor

@asteel-gsa is this okay to close?

@asteel-gsa
Copy link
Contributor

@asteel-gsa is this okay to close?

I am, not really sure what this is if I am honest. I believe so.

@asteel-gsa asteel-gsa closed this as not planned Won't fix, can't repro, duplicate, stale Oct 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mogul @danswick @asteel-gsa