Describe the business needs or requirements that are being met by this Product/Feature. You may also link to an existing ticket which describes this behavior.
Provide a detailed technical overview of the change.
Is there a change that will affect the security of the system?
Description of Mitigations
* // A description of any needed mitigations is brought to the top of the page.
Use this optional checklist of questions to help inform your request. The questions are meant to promote reflection. If you can clearly answer the questions above, you may delete everything below the Description of Mitigations. It is not required to fill this out every. single. time.
Who did what and when? Auditing and logging refer to how your application records security-related events.
Is there an impact to your existing Auditing and Logging procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
Who are you? Authentication is the process where an entity proves the identity of another entity, typically through credentials, such as a username and password.
Is there an impact to your existing Authentication procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
What can you do? Authorization is how your application provides access controls for resources and operations.
Is there an impact to your existing Authorization procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
Who are you talking to? Communication Security ensures all communication done is as secure as possible.
Is there an impact to your existing Communication Security procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
Who does your application run as? Which databases does it connect to? How is your application administered? How are these settings secured? Configuration management refers to how your application handles these operational issues.
Is there an impact to your existing Configuration Management procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
How are you keeping secrets (confidentiality)? How are you tamper-proofing your data or libraries (integrity)? How are you providing seeds for random values that must be cryptographically strong? Cryptography refers to how your application enforces confidentiality and integrity.
Is there an impact to your existing Cryptography procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
When a method call in your application fails, what does your application do? How much do you reveal? Do you return friendly error information to end users? Do you pass valuable exception information back to the caller? Does your application fail gracefully?
Is there an impact to your existing Exception Management procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
How do you know that the input your application receives is valid and safe? Input validation refers to how your application filters, scrubs, or rejects input before additional processing. Consider constraining input through entry points and encoding output through exit points. Do you trust data from sources such as databases and file shares?
Is there an impact to your existing Input Validation procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
How does your application handle sensitive data? Sensitive data refers to how your application handles any data that must be protected either in memory, over the network, or in persistent stores.
Is there an impact to your existing Sensitive Data procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.
How does your application handle and protect user sessions? A session refers to a series of related interactions between a user and your Web application.
Is there an impact to your existing Session Management procedures or capabilities?
- Yes
- No
If Yes, what is the impact of this change?
Use this space to describe any impacts to end user, operations teams, or downstream business functions.