Security Review
Security Review
All new services developed under Vets-API must undergo an internal security review prior to production launch. The purpose of this review is to dive into the implementation of a new service at the code level, and ensure that the accompanying OpenAPI specification is valid and complete. The following template should be used:
Security Review Template
Participants
{{ participant }}
Interfaces Documented (OpenAPI)
Sufficient background information provided
Data shape reflects implementation
Authorization information
Model documentation includes data element source and destination
Model documentation includes data element sensitivity
PTA submitted for service changes
PIA updated if Privacy Office recommended
Rate limits defined
Size limits defined
Latency expectations and guarantees defined
Availability expectations and guarantees defined
Maintenance windows documented (discouraged, but when applicable)
Service dependencies documented
Support escalation information documented (for service, and for service dependencies)
Data Sensitivity Overview
{{ Notes on data sensitivity }}
User Authentication
{{ Notes on user authentication }}
User Authorization
{{ Notes on user authorization }}
Data Scoping
Is data sufficiently scoped to the user?
If data is cached, is the cache scoped to the user?
Are authorization policies well defined?
Logging
Requests are logged
Logs are properly sanitized
Exceptions are logged
Exceptions are properly sanitized
Dependency service requests are logged
Requests are traceable
Dependency Integrations
All dependencies are monitored
Inline requests are timed out
High latency requests are backgrounded
Alerting
SLAs defined based on product KPIs
APMS defined in datadog.
Alerts are tied to proper alert levels in Datadog.
Team is on call and capable of addressing pages
ATO Review
All ATO documentation is updated to reflect new requirements
Help and feedback
Get help from the Platform Support Team in Slack.
Submit a feature idea to the Platform.