Merge branch 'main' into louzoid-dr-licensing

source/manuals/security-overview-for-websites.html.md.erb

@@ -1,6 +1,6 @@
 ---
 title: Security overview for websites
-last_reviewed_on: 2023-11-21
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 
@@ -49,7 +49,7 @@ Contact your registrar and ask if they offer any additional safeguards to preven
 
 Ask your registrar for contact details that you can use in the event of an incident and note these in your incident response plan.
 
-Enable DNSSEC if available ([Cloudflare has a great explanation on DNSSEC](https://www.cloudflare.com/en-gb/dns/dnssec/how-dnssec-works/)).
+Enable DNSSEC if practicable ([Cloudflare has a great explanation on DNSSEC](https://www.cloudflare.com/en-gb/dns/dnssec/how-dnssec-works/)).
 
 Ensure your WHOIS details are correct and contain the organisation or department name, the main building address, and a generic shared email address (_service_-webadmin@organisation[.]gov.uk) and do not enable privacy guard.
 

source/partials/_nav-operating-a-service.html.erb

@@ -12,6 +12,5 @@
   <li><a href="/standards/principle-least-access.html">Principle of least privilege</a></li>
   <li><a href="/standards/secrets-acl.html">Tracking access control</a></li>
   <li><a href="/standards/secrets-auditing.html">Secret auditing</a></li>
-  <li><a href="/standards/pre-commit-hooks.html">Git pre-commit</a></li>
   <li><a href="/standards/vulnerability-disclosure.html">Vulnerability disclosure and security.txt</a></li>
 </ul>

source/standards/alerting.html.md.erb

@@ -1,12 +1,12 @@
 ---
 title: How to manage alerts
-last_reviewed_on: 2023-06-08
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 
 # <%= current_page.data.title %>
 
-Your service should have a system in place to send automated alerts if its monitoring system detects a problem. Sending alerts help services meet service level agreements (SLAs).
+Your service should have a system in place to send automated alerts if its monitoring system(s) detects a problem. Sending alerts help services meet service level agreements (SLAs), and provide awareness of suspicious activity to enable incident response.
 
 ## Sending alerts
 
@@ -15,6 +15,7 @@ Your service should send an alert when your [service monitoring][] detects an is
 * affects service users
 * requires action to fix
 * lasts for a sustained period of time
+* indicates compromise or suspicious activity (such as multiple failed login attempts or unrecognised escalation of privilege)
 
 You should only send an alert for things that need action. Alert text should be specific and [include actionable information][]. You should not include sensitive material.
 
@@ -41,6 +42,7 @@ You must prioritise alerts based on whether they need an immediate fix. It can h
 
 * interrupting - need immediate investigation and resolution
 * non-interrupting - do not need immediate resolution
+* security-related - may indicate compromise of the system
 
 The [Google Site Reliability Engineering (SRE)][site reliability engineering] handbook classifies “interrupting” issues as “pages”, and “non-interrupting” issues as “tickets”. Put non-interrupting alerts into a ticket queue for your support team to solve. Keep the ticket queue and team backlog separate to avoid confusion. You should specify an SLA for how long both types of alert take to resolve.
 
@@ -55,6 +57,7 @@ Recommended tools are:
 
 - [PagerDuty][] to send high-priority / interrupting alerts
 - [Zendesk][] to manage non-interrupting alerts as tickets
+- [Splunk][] to manage security-related alerts
 
 You can also configure these tools to send alert notifications using email or Slack. However, you should only use email and Slack as additions to your primary alerting tool. If alerts only go to email or Slack, people may ignore, overlook, filter them out, or treat them like spam.
 
@@ -71,6 +74,7 @@ For more information refer to the:
 [service monitoring]: /standards/monitoring.html
 [PagerDuty]: https://www.pagerduty.com
 [Zendesk]: https://www.zendesk.com
+[Splunk]: https://splunk.com
 [Smashing]: https://github.com/Smashing/smashing
 [BlinkenJS]: https://github.com/alphagov/blinkenjs
 [information about monitoring]: /standards/monitoring.html

source/standards/how-to-do-penetration-tests.html.md.erb

@@ -1,14 +1,16 @@
 ---
 title: How to arrange and manage penetration tests
-last_reviewed_on: 2023-11-20
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 
 # <%= current_page.data.title %>
 
-You should aim to run [penetration tests](https://www.gov.uk/service-manual/technology/vulnerability-and-penetration-testing) on your service at least every 12 months. You must discuss all significant changes with the GDS [Information Security] IA team. You must agree with the [Information Security] IA team when you will test and the scope of the tests. They will also assist with the procurement of external tests through an approved third party through the [National Cyber Security Centre (NCSC) CHECK scheme]. Alternatively, with the agreement of the IA team, a member of the [COD Cyber] Team can carry them out internally, depending on the requirements.
+You should aim to run [penetration tests](https://www.gov.uk/service-manual/technology/vulnerability-and-penetration-testing) on your service at least every 12 months. You must discuss all significant changes with the GDS [Information Security][] team. You must agree with the [Information Security][] team when you will test and the scope of the tests. They will also assist with the procurement of external tests through an approved third party through the [National Cyber Security Centre (NCSC) CHECK scheme]. Alternatively, with the agreement of the Info Sec team, a member of the [COD Cyber] Team can carry them out internally, depending on the requirements.
 
-You may need to schedule additional testing if you make significant changes to your service. You should meet with the IA team regularly to discuss ongoing changes.
+Information Security are working on a GDS-level contract for ITHC services, which should make obtaining an ITHC for your service a more streamlined process.
+
+You may need to schedule additional testing if you make significant changes to your service. You should meet with the Info Sec team regularly to discuss ongoing changes.
 
 A significant change could be when you:
 
@@ -47,9 +49,9 @@ Before testing, you should define and agree:
 
 ## Schedule a test
 
-To schedule a test, [Information Security] IA team.
+To schedule a test, [Information Security][] team.
 
-If you plan to test any application, you must contact the IA team at least 3 months in advance so they can organise the procurement for you.
+If you plan to test any application, you must contact the Info Sec team at least 3 months in advance so they can organise the procurement (or call-off against the existing framework) for you.
 
 If you are planning to ask the [COD Cyber] team to perform a test, you will need to enter the information listed in the [scope your test section](#scope-your-test) and the [prepare for your test section](#prepare-for-your-test) into a Rules of Engagement document, where a scope can be agreed and signed off by both parties. As with an external company, you should give at least 3 months' notice to make sure you can schedule the test at a time that suits project timelines.
 

source/standards/logging.html.md.erb

@@ -1,6 +1,6 @@
 ---
 title: How to store and query logs
-last_reviewed_on: 2022-02-07
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 
@@ -12,7 +12,7 @@ to respond to security incidents.
 Use [Splunk] to store and query infrastructure, application and audit logs.
 
 Splunk is a cloud-based SaaS tool for short and long-term storage,
-visualisation, alerting, and reporting.
+visualisation, alerting, and reporting of cyber security log information.
 
 Your product should have a proportionate design for short and long term storage of logs and ensuring the Confidentiality, Integrity, and Availability of logs.
 

source/standards/optimise-frontend-perf.html.md.erb

@@ -20,11 +20,12 @@ For example:
 | #High    | Position assets correctly                                                        | [Set styles at the top of the page][] and [`defer` scripts][].                                                                                                                                                                                                 |
 |          | Compress static resources                                                        | [Minify][] CSS and JavaScript and use a compression algorithm like [Gzip][] and [Brotli][] on assets.                                                                                                                                                          |
 |          | Set correct Headers                                                              | Set correct [Cache-Control][] and [ETag][] headers on assets for optimal caching.                                                                                                                                                                              |
+|          | Minimise unused code                                                             | Avoid including CSS and JavaScript that is not used on your site.                                                                                                                                                                                              |
 | #Medium  | Include `width` and `height` attributes on images to minimise layout thrashing   | Make sure to include these attributes to improve visual stability and the [Cumulative Layout Shift (CLS)][] metric.                                                                                                                                            |
 |          | Minimise TCP connections                                                         | Use fewer third-party domains to reduce the number of DNS + TCP + SSL negotiations per page.                                                                                                                                                                   |
 |          | Investigate [lazy loading][]                                                     | For pages with many images, only load images in the immediate browser viewport.                                                                                                                                                                                |
 |          | Investigate the impact of loading [@font-face][] assets on perceived performance | Use the CSS `font-display` property or other [font-loading strategies][] to manage common issues like [FOUT, FOIT and FOFT][].                                                                                                                                 |
-|          | Minimise HTTP requests                                                           | Minimise the number of CSS and JavaScript files to reduce the number of round-trips to the server. See ‘Code splitting’ below.                                                                                                                                                   |
+|          | Minimise HTTP requests                                                           | Minimise the number of CSS and JavaScript files to reduce the number of round-trips to the server. See ‘Code splitting’ below.                                                                                                                                 |
 | #Low     | Reduce cookie size                                                               | Because every cookie is sent with each HTTP request, enable HTTP/2 to enable HPACK header compression or HTTP/3 for QPACK.                                                                                                                                     |
 |          | Investigate using a Content Delivery Network (CDN)                               | A CDN will improve site performance by using a network of servers to deliver resources to users. The user will get delivered resources from the server that is located nearest to the user. A CDN is well-suited to handling heavy traffic and traffic spikes. |
 |          | Keep JSON payloads small                                                         | Avoid adding too much data to JSON objects, as parsing them can be slow.                                                                                                                                                                                       |

source/standards/principle-least-access.html.md.erb

@@ -1,14 +1,14 @@
 ---
 title: Principle of Least Privilege
-last_reviewed_on: 2023-11-20
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 
 # <%= current_page.data.title %>
 
 The [principle of least privilege][polp] involves setting up user accounts so they can only access and use the information they need for specific tasks. This can also apply to processes and individuals who might have to switch between normal access and the increased access of a superuser account as part of their work.
 
-All access provisioned for use within GDS must be provided on a least privilege basis
+All access provisioned for use within GDS must be provided on a least privilege basis.
 
 Examples of privileged or higher security access are:
 
@@ -38,6 +38,8 @@ Your team should:
 - in cases where JIT access is not implemented for users with privileged access that have critical business impact, implement a documeneted periodic review (cadence to be defined) of the need to continually have these privileged access granted to confirmed users
 - have a Joiners, Movers and Leavers process, where line managers (or equivalent) arrange for privileged access to be removed (SLA to be defined) where it is not required. See this [NCSC guide on identity management](https://www.ncsc.gov.uk/guidance/introduction-identity-and-access-management) for more information.
 
+It's important to recognise opportunities for privilege creep / accumulation and to design in suitable processes for preventing it.
+
 ## Examples
 
 For human-readable secrets, such as a username and password, you should set up a separate secret or [password manager](https://www.ncsc.gov.uk/collection/passwords/password-manager-buyers-guide). 

source/standards/threat-modelling.html.md.erb

@@ -1,6 +1,6 @@
 ---
 title: Threat Modelling
-last_reviewed_on: 2023-11-21
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 

source/standards/tracking-dependencies.html.md.erb

@@ -1,6 +1,6 @@
 ---
 title: How to manage third party software dependencies
-last_reviewed_on: 2023-06-08
+last_reviewed_on: 2024-06-27
 review_in: 6 months
 ---
 
@@ -20,7 +20,7 @@ Update your dependencies frequently rather than in ‘big bang’ batches. This
 
 There are tools which scan GitHub repositories and raise pull requests (PRs) when they find dependency updates. Teams at GDS are using:
 
-* [Dependabot][] - used by GOV.UK, GOV.UK Pay, GovWifi and Digital Marketplace. The GOV.UK docs contain [guidance on using Dependabot][] and [how the PRs raised should be reviewed][]
+* [Dependabot][] - used by GOV.UK, and GOV.UK Pay. The GOV.UK docs contain [guidance on using Dependabot][] and [how the PRs raised should be reviewed][]
     > Note: this is separate from the [security-only updates provided automatically by GitHub Dependabot].
 
     > Note: repos requiring at least one approving review for PRs cannot, and should not, use [Dependabot's auto-approve-and-merge facility].
@@ -33,7 +33,7 @@ There are tools which scan GitHub repositories and raise pull requests (PRs) whe
 
 All the above tools are free to use on public repositories.
 
-The CDIO Cyber Security team will review the repositories that do not have dependency management in use and will turn on Dependabot where required. Service teams are free to use a different tool such as [Snyk](https://snyk.io/), but will need to add a `no-dependabot` tag to their repository for monitoring purposes. You can [contact Cyber Security](https://gds.slack.com/archives/CCMPJKFDK) if you have any questions or need help.
+The COD Cyber Security team will review the repositories that do not have dependency management in use and will turn on Dependabot where required. Service teams are free to use a different tool such as [Snyk](https://snyk.io/), but will need to add a `no-dependabot` tag to their repository for monitoring purposes. You can [contact Cyber Security](https://gds.slack.com/archives/CCMPJKFDK) if you have any questions or need help.
 
 ## Monitor for vulnerabilities
 

source/standards/web-application-firewall.html.md.erb

@@ -1,6 +1,6 @@
 ---
 title: Use a web application firewall (WAF)
-last_reviewed_on: 2023-06-08
+last_reviewed_on: 2023-06-27
 review_in: 6 months
 ---
 
@@ -17,8 +17,10 @@ Combining a WAF with CI and CD tools reduces the risk from those tools, and prov
 You may also need to use a WAF because of:
 
 - GDS or departmental policies or standards
-- [Information Assurance (IA)](https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/gds-operations/information-services/information-assurance) requirements to minimise risk
+- HMG Standards such as the [Cyber Assessment Framework][] (NCSC) or [Secure by Design Principles][] (CDDO)
+- [Information Security][] requirements to minimise risk
 - [Payment Card Industry Data Security Standard (PCI DSS)](https://www.pcisecuritystandards.org/) compliance
+- they are generally considered basic practice for protecting public web applications
 
 ## When and how to use a WAF
 
@@ -75,9 +77,9 @@ For more information read the proposed architecture for [implementing a DDoS-res
 
 GOV.UK Pay operates under the governance of [PCI compliance and DSS point 6.6](https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf) which states the need for web application scanning.
 
-## Contact Cyber Security
+## Contact GDS Information Security or COD Cyber Security
 
-Contact the security architects in the GDS Cyber Security team by email at [cyber.security@digital.cabinet-office.gov.uk](mailto:cyber.security@digital.cabinet-office.gov.uk) or use the [#cyber-security-help Slack channel](https://gds.slack.com/messages/CCMPJKFDK/) for help and advice.
+Contact GDS [Information Security][] or the security architects in the COS Cyber Security team by email at [cyber.security@digital.cabinet-office.gov.uk](mailto:cyber.security@digital.cabinet-office.gov.uk) or use the [#cyber-security-help Slack channel](https://gds.slack.com/messages/CCMPJKFDK/) for help and advice.
 
 ## Further reading
 
@@ -86,3 +88,9 @@ To find out more about WAF refer to:
 - [Open Web Application Security Project (OWASP)](https://owasp.org/) the OWASP Foundation
 - [WASC OWASP Web Application Firewall](https://wiki.owasp.org/index.php/WASC_OWASP_Web_Application_Firewall_Evaluation_Criteria_Project) Evaluation Criteria Project
 - [National Cyber Security Centre (NCSC)](https://www.ncsc.gov.uk/) guidance
+
+## References
+
+- [Information Security]: https://sites.google.com/a/digital.cabinet-office.gov.uk/gds/directorates-and-groups/cto-and-ciso-office/information-security
+- [Cyber Assessment Framework]: https://www.ncsc.gov.uk/collection/cyber-assessment-framework/introduction-to-caf
+- [Secure by Design Principles]: https://www.security.gov.uk/guidance/secure-by-design/