23 posts tagged security

January 25, 2018

Getting DevOps buy-in to facilitate agile

By Clint Troxel , Waldo Jaquith

Agile without DevOps is a bundle of potential energy with no outlet. We’ve found that it’s easier to get agency buy-in for DevOps if automated security audits are part of that work.

Continue reading about Getting DevOps buy-in to facilitate agile

devops agile security

September 26, 2017

Automated scanning for sensitive information in the development lifecycle

By Adam Kendall

Often when developing open source software, and especially software that relies on outside services, you’ll find that you have to manage sensitive information. While there are a large number of things that can be considered sensitive, open source developers often deal with sensitive items such as API tokens, passwords, and private keys that are required for the system to function. Here's how we approached keeping this information safe.

Continue reading about Automated scanning for sensitive information in the development lifecycle

open source security devops how we work tools you can use technical guides

August 22, 2017

Government launches login.gov to simplify access to public services

By Joel Minton , Tom Mills

Today, the U.S. Digital Service and 18F are excited to announce the launch of login.gov, a single sign-on solution for government websites that will enable citizens to access public services across agencies with the same username and password.

Continue reading about Government launches login.gov to simplify access to public services

login.gov identity security platforms u.s. digital service

May 25, 2017

From launch to landing: How NASA took control of its HTTPS mission

By Karim Said

In 2015, the White House Office of Management and Budget released M-15-13, a "Policy to Require Secure Connections across Federal Websites and Web Services" the memo emphasizes the importance of protecting the privacy and security of the public's browsing activities on teh web. This is a guest post by Karim Said of NASA who was instrumental in NASA's successful HTTPS and HSTS migration.

Continue reading about From launch to landing: How NASA took control of its HTTPS mission

https security

May 11, 2017

The next step towards a bug bounty program for the Technology Transformation Service

By Omid Ghaffari-Tabrizi , Waldo Jaquith , Eric Mill

With bug bounties becoming an established industry-wide best practice, it’s important for us to establish our own. With the results we receive from the TTS Bug Bounty, we look forward to establishing a permanent program that involves most — if not all — TTS-owned websites and web applications.

Continue reading about The next step towards a bug bounty program for the Technology Transformation Service

technology transformation services security

February 27, 2017

To get things done, you need great, secure tools

By V. David Zvenyach

To folks new to government, one of the most surprising differences between our work and work in the private sector are the barriers in accessing commercially available software, and commercially available Software as a Service (SaaS) in particular. There are many good reasons for these barriers but digital teams need great tools to get work done and compliance requires tradeoffs associated with time to initial delivery and accommodation of constraints that are different from the private sector.

Continue reading about To get things done, you need great, secure tools

security acquisition services cloud.gov

January 6, 2017

Open source collaboration across agencies to improve HTTPS deployment

By Cameron Dixon

Cameron Dixon at the Department of Homeland Security writes for 18F: To facilitate secure connections for citizens, immigrants, and other users, the Department of Homeland Security began delivering 'HTTPS Reports' directly to federal agencies. We open-sourced the tool we scan with, in collaboration with our colleagues at 18F.

Continue reading about Open source collaboration across agencies to improve HTTPS deployment

https security open source

January 4, 2017

Tracking the U.S. government's progress on moving to HTTPS

By Eric Mill

The White House HTTPS policy generated significant HTTPS adoption in the U.S. government. HTTPS is now used for most web requests to executive branch .gov websites, and the government now outpaces the private sector on HTTPS.

Continue reading about Tracking the U.S. government's progress on moving to HTTPS

https security pulse.cio.gov

November 22, 2016

A vulnerability disclosure policy for the Technology Transformation Service

By Kimber Dowsett

We’ve published a vulnerability disclosure policy for 18F's parent organization, GSA's Technology Transformation Service, which lays out rules of the road for reporting vulnerabilities to various TTS-operated systems. We want a clear path for security researchers to tell us about vulnerabilities on our systems, and to assure those researchers that we won’t pursue legal action against them.

Continue reading about A vulnerability disclosure policy for the Technology Transformation Service

security technology transformation services

May 13, 2016

How 18F handles information security and third party applications

By Aaron Snow , Noah Kunin

Today the General Services Administration’s Office of Inspector General (an independent part of our agency, entrusted with carefully inspecting agency operations) published a report on a mistake made in the configuration of Slack, an online chat tool we use. We discovered and remedied this issue a couple of months ago. We did a full investigation and to our knowledge no sensitive information was shared inappropriately.

Continue reading about How 18F handles information security and third party applications

security collaboration tools

May 10, 2016

Building a modern shared authentication platform

By Joel Minton

18F is working iteratively with a team of technologists from across the government to build a platform for users who need to log in to government services. Every consumer-facing service the government offers will benefit from this platform, enhancing the privacy and security of online interactions for the public and for agencies.

Continue reading about Building a modern shared authentication platform

login.gov platforms identity security

April 15, 2016

Compliance Masonry: Building a risk management platform, brick by brick

By Mossadeq Zia , Gabriel Ramírez , Noah Kunin

We’re trying to change how we approach the development of system security plans. Our goal is to create a system that allows system custodians, security operations staff, and executives to actively interact, update, and generate assurance reports with searchable content and testable security controls to satisfy any type of risk management framework. The current prototype is called Compliance Masonry.

Continue reading about Compliance Masonry: Building a risk management platform, brick by brick

security cloud.gov

November 13, 2015

Answering common questions about cloud.gov

By Bret Mogilefsky

Four weeks ago, we announced cloud.gov, a new platform that will enable small federal teams to rapidly develop and deploy web services with best-practice, production-level security and scalability. Currently, we’re running a small pilot program to prepare to open up cloud.gov to all federal agencies. In the meantime, we’d like to lay out some more details about the project and answer some common questions.

Continue reading about Answering common questions about cloud.gov

devops platforms video cloud.gov best practices security

November 4, 2015

Complexity is the adversary

By Noah Kunin

What if we told you that most catastrophic digital security vulnerabilities had one common denominator? One overriding contributor to root causes? Would you believe that one factor is also the biggest impediment to great design and software? That one thing? Complexity.

Continue reading about Complexity is the adversary

security best practices https

October 9, 2015

To always be shipping, you need a shipyard

By Bret Mogilefsky

We’ve developed cloud.gov, a Platform-as-a-Service (PaaS), to tackle core infrastructure issues and enable our small development teams to improve the delivery of 18F products.

Continue reading about To always be shipping, you need a shipyard

best practices security platforms cloud.gov

July 16, 2015

An introduction to HTTPS, by 18F and DigitalGov University

By Eric Mill , Gray Brooks

18F uses HTTPS for everything we make, and the U.S. government is in the process of transitioning to HTTPS everywhere. As part of this effort, we've recently partnered with DigitalGov University to produce a two-video series introducing the why's and how's of HTTPS.

Continue reading about An introduction to HTTPS, by 18F and DigitalGov University

https security tools you can use video training

June 8, 2015

The U.S. government is moving to HTTPS everywhere

By Eric Mill , Gray Brooks

Today, the White House's Office of Management and Budget (OMB) finalized an HTTPS-Only Standard for all publicly accessible federal websites and web services. This standard is designed to ensure a new, strong baseline of user privacy and security across U.S. government websites and APIs.

Continue reading about The U.S. government is moving to HTTPS everywhere

https security best practices

June 3, 2015

Giving back to open source: Everybody wins

By Mike Bland

We love when we're able to contribure to open source projects from other organizations. Recently, we contributed to Bitly's open source google_auth_proxy to support our Hub and MyUSA applications, and our contribution has already helped other OAuth2 providers.

Continue reading about Giving back to open source: Everybody wins

open source security hub communication tools and practices

June 2, 2015

Taking the pulse of the federal government's web presence

By Eric Mill , Julia Elman , Gray Brooks , John Tindel

The U.S. federal government is launching a new project to monitor how it's doing at best practices on the web. A sort of health monitor for the U.S. government's websites, it's called Pulse, and you can find it at pulse.cio.gov.

Continue reading about Taking the pulse of the federal government's web presence

pulse.cio.gov https security best practices

May 18, 2015

Meet MyUSA: Your one account for government

By Kate Garklavs

If you’re a small-business owner, a veteran, or simply a person interested in tracking the status of your tax return, you’ve likely interacted with multiple government websites, which can require you to fill out a lot of forms and juggle a lot of information. Soon, you’ll be able to use MyUSA — a service that makes government resources easier to access, and government tasks and processes easier to keep track of.

Continue reading about Meet MyUSA: Your one account for government

security myusa

March 17, 2015

For public comment: the HTTPS-only standard

By Eric Mill , Gray Brooks

Today, the White House's Office of Management and Budget is releasing a draft proposal for public comment: The HTTPS-Only Standard, at https.cio.gov. This proposal would require all new and existing publicly accessible federal websites and web services to enforce a secure, private connection with HTTPS Feedback and suggestions during this public comment period are encouraged, and can be provided on GitHub or by email.

Continue reading about For public comment: the HTTPS-only standard

security https best practices

February 9, 2015

The first .gov domains hardcoded into your browser as all-HTTPS

By Eric Mill

Every .gov website, no matter how small, should give its visitors a secure, private connection. Ordinary HTTP (http://) connections are neither secure nor private, and can be easily intercepted and impersonated. In today's web browsers, the best and easiest way to fix that is to use HTTPS (https://).

Continue reading about The first .gov domains hardcoded into your browser as all-HTTPS

https security best practices

November 13, 2014

Why we use HTTPS for every .gov we make

By Eric Mill

18F uses HTTPS in every .gov website we make, so that our users have a fast, secure, private connection.

Continue reading about Why we use HTTPS for every .gov we make

security best practices https