Skip to content

Instantly share code, notes, and snippets.

@jsosulska

jsosulska/test-sia-template.md

Last active August 18, 2022 20:30
Show Gist options
  • Save jsosulska/b3f9266836bfb6ff6d01cb0625036411 to your computer and use it in GitHub Desktop.
Save jsosulska/b3f9266836bfb6ff6d01cb0625036411 to your computer and use it in GitHub Desktop.
Download ZIP
Security Impact Analysis Pull Request Template
Raw
test-sia-template.md

Security Impact Analysis Questionnaire

Business Overview

Describe the business needs or requirements that are being met by this Product/Feature. You may also link to an existing ticket which describes this behavior.

Technical Overview

Provide a detailed technical overview of the change.

Security Risks Identified

Is there a change that will affect the security of the system?

Description of Mitigations 
  * // A description of any needed mitigations is brought to the top of the page.

(Optional) Submitter Checklist

Use this optional checklist of questions to help inform your request. The questions are meant to promote reflection. If you can clearly answer the questions above, you may delete everything below the Description of Mitigations. It is not required to fill this out every. single. time.

Auditing and Logging

Who did what and when? Auditing and logging refer to how your application records security-related events.

Is there an impact to your existing Auditing and Logging procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Authentication

Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a username and password.

Is there an impact to your existing Authentication procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Authorization

What can you do? Authorization is how your application provides access controls for resources and operations.

Is there an impact to your existing Authorization procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Communication Security

Who are you talking to? Communication Security ensures all communication done is as secure as possible.

Is there an impact to your existing Communication Security procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Configuration Management

Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.

Is there an impact to your existing Configuration Management procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Cryptography

How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.

Is there an impact to your existing Cryptography procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Exception Management

When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?

Is there an impact to your existing Exception Management procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Input Validation

How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. Consider constraining input through entry points and encoding output through exit points. Do you trust data from sources such as databases and file shares?

Is there an impact to your existing Input Validation procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Sensitive Data

How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.

Is there an impact to your existing Sensitive Data procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

Session Management

How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.

Is there an impact to your existing Session Management procedures or capabilities?

  • Yes
  • No
If Yes, what is the impact of this change? 
Use this space to describe any impacts to end user, operations teams, or downstream business functions.

END of Security Impact Analysis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment