Assessment Finding SC-07

[peterrowland]

During the assessment the SORN team did not provide control language or technical evidence to satisfy SC-7c. Cloud.gov does not allow direct inheritance for this portion of the co

SC-7: The team should implement rules to prevent the system-specified portion of the application from exchanging traffic with systems outside its own boundary over unsanctioned or unmonitored interfaces.
The SSP should be updated to provide specific information on how the application prevents exchange of traffic with systems outside its boundary.

[peterrowland]

As it stands, there is nothing that prevents SORN DASH from reaching out to any app on the internet, and CF supports ASGs, which are not exposed tenants. No cloud.gov app can control that. Capability does not exist. No one can control their firewall rules.

[peterrowland]

cloud.gov has introduced restricted space types, can be moved to closed space types with outbound proxy with allow list of domain names. Question is whether ruby app respects proxy rules, if not would require some custom code