stackArmor has been supporting HUD since April 2016 the development and operation of a security process utilized by CI/CD to support the introduction of developed software into the HUD operational environment. HUD CI/CD coordinates with the HUD CISO Security Team (OITS) to implement risk thresholds applicable to application projects. stackArmor has developed and supported the creation of security oriented dashboard, reporting and automated scanning solution that is part of the CI/CD pipeline to allow the HUD CISO Security Team in order to facilitate the CISO decision making process. The HUD CISO Security Team coordinates with respective project development teams to identify issues requiring remediation based on the reports generated from the HUD CI/CD pipeline. The Identified issues that cannot be remediated in the short term are documented through the Plan of Action and Milestones (POA&M) process for the Staging and Production environments. Project teams are responsible for the documentation and tracking of POA&M items. All IA related activities are co-ordinated through the HUD CISO Security Team.
stackArmor has assisted with the introduction and development of the security automation and reporting aspects of the CI/CD pipeline in support of the HUD OITS/CISO Security team. The tools and technologies used for the development of the solution included:
- YASCA Static Code Analysis;
- SonarQube integration for code quality;
- HPE Fortify Static Code Analyzer (SCA) for static application security testing (SAST);
- Tenable Nessus for Vulnerability Scanning;
- OpenSCAP for security testing using XCCDF checklist profiles to evaluate system configurations for the operating system against an established checklist profile;
- ClamAV antivirus scanner for Linux operating systems.
- Windows Defender antivirus scanner for Windows operating systems and
- Splunk for ingesting log data from systems and applications and provides a reporting capability as well as data visualization through dashboards.
stackArmor supported the HUD CI/CD and IA mission through modern DevOps and Automation techniques through the ESTARS program.