6.5 Security

govstack-cfr-security2.0.0

#1 Enforce Transport Security (REQUIRED IMMUTABLE) (previously 5.12)

All communication is secured using HTTPS/TLS 1.3. Insecure cipher suites MUST be disabled. This supports protection against man-in-the-middle (MITM) attacks.

#2 Use Secure Configuration (REQUIRED IMMUTABLE) (previously 5.21)

All configuration uses secure methods, such as environment variables or a secret management system. Sensitive credentials are never be stored in source code or version control.

#3 Include Support for Capturing Logging information (REQUIRED IMMUTABLE) (previously 5.10)

Building Blocks MUST have a mechanism for generating logging information. This may be as simple as using STDOUT and capturing through docker logs, or may use other log sinking technologies.

#4 Security testing is completed before solution is shared for use by others. This must include coverage of high-risk vulnerabilities as described in globally recognized standards (e.g. OWASP Top 10). (REQUIRED IMMUTABLE)

#5 No sensitive data such as keys, certificates, or passwords is stored in code repositories or documentation. (REQUIRED IMMUTABLE)

#6 Include Clearly-Defined Key Rotation Policies (RECOMMENDED EXTENSIBLE) (previously 5.16)

Some blocks may require the use of security keys. Those that do must have clearly defined key rotation policies to enhance security

#7 Use I/O Sanitization (RECOMMENDED EXTENSIBLE) (previously 5.25)

Building blocks SHOULD validate all incoming data to ensure that it conforms with the expected format and type. APIs should also sanitize incoming data, removing any unsafe characters or tokens.

#8 Only up-to-date and industry-accepted cryptographic algorithms MUST be used for data protection. (RECOMMENDED IMMUTABLE)

#9 Enforce Access Control and Authentication (REQUIRED EXTENSIBLE)

Each Building Block enforces a least-privilege access control model to ensure that users and services only access the resources they need. Authentication and authorization should be handled through an Identity and Access Management service using open standards. For user-facing flows, authenticate the user and obtain their roles/permissions via OpenID Connect. For client-to-client or machine-to-machine API interactions, authorize calls using OAuth 2.0 or JWT-based access tokens. Tokens are short-lived and stored securely, with regular rotation, and access decisions are logged to support auditing.

#10 Implement Secure API Gateways (RECOMMENDED EXTENSIBLE)

Where external APIs are exposed, a gateway layer handles:

rate limiting,
authentication and authorization,
request/response validation, and
encryption enforcement.

#11 Implement Continuous Vulnerability Scanning and Patching (RECOMMENDED EXTENSIBLE)

Security testing MUST be automated in CI/CD pipelines, including:

Static Application Security Testing (SAST),
Dynamic Application Security Testing (DAST), and
Dependency Vulnerability Scanning (e.g., OWASP Dependency-Check, Trivy).
Critical vulnerabilities MUST be addressed before release.

#12 Ensure Isolation and Containment (RECOMMENDED EXTENSIBLE)

A compromise in one Building Block allows escalation or lateral movement to others. Containers and services run with minimal privileges (principle of least privilege). Network segmentation and namespace isolation is implemented.

#13 Logging and Monitoring Security Events (REQUIRED EXTENSIBLE)

Security events (e.g., failed logins, permission violations) are logged separately from functional logs. Logs integrate with centralized observability systems (see CFR Observability). All logs support audit trails with timestamping, trace IDs, and user context.

#14 Adopt Secure Coding and Review Practices (RECOMMENDED EXTENSIBLE)

All source code undergoes peer code review focusing on security implications. Sensitive code segments (e.g., crypto, identity) are reviewed by qualified experts.

#15 Disaster Recovery and Incident Response (RECOMMENDED EXTENSIBLE)

Each Building Block defines incident response and disaster recovery plans.

Procedures SHOULD include:

alerting and triage workflow,
root-cause analysis and postmortems,
secure rollback or hot patch mechanisms.

#16 Compliance and Audit Readiness (RECOMMENDED IMMUTABLE)

Building Blocks maintain documentation that demonstrates compliance with:

OWASP ASVS,
ISO/IEC 27001, and
GovStack Security Framework.

Periodic third-party audits are RECOMMENDED for production-grade deployments.

Last updated 1 month ago

Was this helpful?

hashtaggovstack-cfr-security2.0.0

hashtag#1 Enforce Transport Security (REQUIRED IMMUTABLE) (previously 5.12)

hashtag#2 Use Secure Configuration (REQUIRED IMMUTABLE) (previously 5.21)

hashtag#3 Include Support for Capturing Logging information (REQUIRED IMMUTABLE) (previously 5.10)

hashtag#4 Security testing is completed before solution is shared for use by others. This must include coverage of high-risk vulnerabilities as described in globally recognized standards (e.g. OWASP Top 10). (REQUIRED IMMUTABLE)

hashtag#5 No sensitive data such as keys, certificates, or passwords is stored in code repositories or documentation. (REQUIRED IMMUTABLE)

hashtag#6 Include Clearly-Defined Key Rotation Policies (RECOMMENDED EXTENSIBLE) (previously 5.16)

hashtag#7 Use I/O Sanitization (RECOMMENDED EXTENSIBLE) (previously 5.25)

hashtag#8 Only up-to-date and industry-accepted cryptographic algorithms MUST be used for data protection. (RECOMMENDED IMMUTABLE)

hashtag#9 Enforce Access Control and Authentication (REQUIRED EXTENSIBLE)

hashtag#10 Implement Secure API Gateways (RECOMMENDED EXTENSIBLE)

hashtag#11 Implement Continuous Vulnerability Scanning and Patching (RECOMMENDED EXTENSIBLE)

hashtag#12 Ensure Isolation and Containment (RECOMMENDED EXTENSIBLE)

hashtag#13 Logging and Monitoring Security Events (REQUIRED EXTENSIBLE)

hashtag#14 Adopt Secure Coding and Review Practices (RECOMMENDED EXTENSIBLE)

hashtag#15 Disaster Recovery and Incident Response (RECOMMENDED EXTENSIBLE)

hashtag#16 Compliance and Audit Readiness (RECOMMENDED IMMUTABLE)