by cmrivers on 2/22/17, 1:20 PM with 1 comments
by webmaven on 2/22/17, 5:28 PM
Here is the key finding concerning the data breach[0]:
"18F’s use of both OAuth 2.0 and Slack is not in compliance with GSA’s Information Technology Standards Profile, GSA Order CIO P 2160.1E. The order allows information technologies to be approved for use in the GSA IT environment if they comply with GSA’s security, legal, and accessibility requirements. Currently, neither OAuth 2.0 nor Slack are approved for use in the GSA IT standards profile."
And the recommendation:
"GSA should cease using Slack and OAuth 2.0 until and unless they are approved for use in the IT Standards Profile"
OAuth, of course, isn't even software, but a protocol. I wonder where the authorizations to use HTTP, SSL, TLS, HTTPS, and so on is listed. OAuth is just a combination of these (presumably approved) technologies.
One of the key findings of the longer report[1]:
"Examples of software that were in use by 18F, but not approved by GSA IT, included Hackpad, used for taking collaborative notes and sharing data and files; CloudApp, a visual communication platform; Pingdom, a website monitoring tool; and Hootsuite, a social media marketing and management dashboard."
Here are some relevant entries on Apps.Gov (Pingdom and CloudApp don't seem to be listed, unfortunately):
https://apps.gov/products/hackpad/
https://apps.gov/products/hootsuite/
https://apps.gov/products/Slack/
[0] https://www.gsaig.gov/sites/default/files/ipa-reports/Alert%...
[1] https://www.gsaig.gov/sites/default/files/ipa-reports/OIG%20...