FedRAMP Vulnerability Scanning and Triage Process

1. You are here:
2. Handbook
3. Security at GitLab
4. Security Engineering
5. Application Security
6. Application Security Runbooks
7. FedRAMP Vulnerability Scanning and Triage Process

On this page

• FedRAMP Vulnerability Scanning and Triage Process
  • Vulnerability reports
    • 1. Container scanner
    • 2. DAST Scan
  • Vulnerability Triage process guide
    • Container scanner vulnerability triage
    • DAST scanner vulnerability triage
    • For each finding from DAST and container scanners:
• SLAs

FedRAMP Vulnerability Scanning and Triage Process

Vulnerability Scans: DAST API scan, DAST web scan, Container scan.

We are required for FedRAMP to triage issues reported by our scanners in our FedRAMP scoped images used in production.

Vulnerability reports

This section lists security dashboards that need to be reviewed:

1. Container scanner

Vulnerability reports for container scanner are to be triaged from this page.

Currently we do not have the ability to filter based on images.

Container scanner findings will typically be straightforward to triage, since severity ratings and SLA requirements are dictated by the CVSS score provided by the National Vulnerability Database. Please see the Vulnerability management changes required for FedRAMP page in the internal handbook for more information.

2. DAST Scan

Findings are to be triaged from this vulnerability report page.

Vulnerability Triage process guide

Note: this guide is intended for any teams triaging FedRAMP vulnerabilities.

Container scanner vulnerability triage

• Follow the process described in the triage section of the container scanner repository.
• For each true positive finding, follow the steps listed in the next section.

DAST scanner vulnerability triage

• Verify if the vulnerability is not a false positive.
• If the vulnerability is a false positive, close it with details on why it is a false positive.
• If the vulnerability is not a false positive, evaluate the severity and continue on the next section.

For each finding from DAST and container scanners:

• Create a confidential tracking issue for each reported vulnerability.
• Add the labels ~security ~"bug::vulnerability" ~"FedRAMP::Vulnerability" and relevant group labels.
• Add severity and priority labels:
  • Match the severity of the tracking issue to the severity of the CVSS from NIST NVD.
  • If CVSS is not available, use the CVSS from the vendor.
  • If the vendor did not provide any CVSS, then match with the severity of the vulnerability assigned by the scanner (or your severity based on your assessment).
• Make sure due dates are assigned for the issues based on remediation SLA. The due date is counted from the date on which the scanner detected the vulnerability.
• Ping the relevant product and engineering managers for remediation
• Product teams to create a Deviation Request for vulnerabilities that are false positive or cannot be remediated within the due date.
• Application Security team can help if needed (for example when risk adjustment is not clear) before the DR is submitted.
• The process continues based on the Deviation Request procedure.

SLAs

SLAs can be consulted on the vulnerability management remediation SLAs page.