Vulnerability scanning

Remote

Implement vulnerability scanning to help fulfill https://nvd.nist.gov/800-53/Rev4/control/RA-5">SSP Control RA-5 - Vulnerability Scanning.

This risk assessment control is considered the responsibility of the organization and so for the base one Docker compliance control reference https://docs.docker.com/compliance/reference/800-53/ra/#ra-5-risk-assessment">doesn't offer any help.

Employing a remote vulnerability scanning tool (in addition to code scanning as with https://github.com/openstack/bandit">Bandit) will help us meet our obligations under RA-5.

Choose https://www.openvas.org/">OpenVAS (Vulnerability Assessment System) and run it ourselves or have it hosted by a provider such as https://www.serverwat.ch/">ServerWat.ch ($20/month), or choose a proprietary provider such as https://www.tinfoilsecurity.com/">Tinfoil Security ($60/month) or https://sitecheck.sucuri.net/">Securi (free to $25/month).

anti-DDoS

https://deflect.ca/">Deflect - https://github.com/equalitie/autodeflect

Code analysis

Also known as static application security testing.

https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html">NIST has a long list of source code security analyzers.

They're missing some of the better tools, at least in Python.

Python

• https://github.com/python-security/pyt
• https://pylint.org/ - see also https://security.web.cern.ch/security/recommendations/en/codetools/pylint.shtml

As far as system security plans, work here is also related to:

• https://nvd.nist.gov/800-53/Rev4/control/SI-4