You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order to reduce recurring web security findings in a sustainable way, the team wants to harden retained systems, retire or restrict low-value exposed surfaces, and improve how recurring scan results are dispositioned and validated.
Acceptance Criteria
GIVEN recurring low/medium web security findings across multiple environments
WHEN this epic is completed
THEN the highest-value retained findings have been addressed through linked remediation tickets
GIVEN multiple findings affect browser security behavior, headers, cookies, framing, transport, or error handling
WHEN linked work is completed
THEN retained systems have a more consistent baseline security posture
GIVEN some affected assets may be deprecated or no longer justify remediation effort
WHEN the affected systems are reviewed
THEN each relevant system is categorized as retain and harden, restrict, retire, or accept with rationale
GIVEN recurring findings may continue to appear until rescans are completed
WHEN linked remediation work is verified
THEN evidence and disposition notes are captured in the linked tickets
AND issues ready for validation/rescan are clearly identified
GIVEN this epic is being used to track a broader cleanup effort
WHEN future work is reviewed
THEN linked issues clearly indicate which findings they relate to, why they were opened, and what follow-up is required for validation and closure
Background
This epic tracks a broader security cleanup effort following recurring monthly scan findings across production and non-production systems.
The goal is to focus engineering effort on the most meaningful next steps after initial header and cookie hardening work, especially on retained systems, while also reducing long-term noise from systems that may be deprecated, restricted, or formally accepted.
This epic is intended to organize follow-on work such as:
frame protection / clickjacking-related review on retained web properties
browser tab / reverse-tabnabbing cleanup where applicable
application error-handling review for endpoints returning internal server errors
validation of TLS/transport ownership and weak-cipher remediation paths
review of exposed non-production and administrative assets to determine retain/harden vs restrict/retire
documentation of accepted risk, false-positive-prone findings, and validation follow-up needs
Representative findings informing this epic include:
HTTP Strict Transport Security (HSTS) warnings
insecure cookie settings
cross-origin header misconfiguration
missing content type hardening headers
framing-related findings
browser tab navigation findings
internal server errors
weak cipher findings
Reminder to future us:
The purpose of this epic is not to chase every low finding individually.
The purpose is to improve the security posture of retained systems, reduce recurring classes of findings through shared fixes where possible, and avoid spending time remediating assets that should instead be retired or restricted.
Linked tickets should tie back to the relevant scan finding class and identify what evidence is needed for validation.
Notify the ISSO when linked remediation work is ready for validation/rescan.
User Story
In order to reduce recurring web security findings in a sustainable way, the team wants to harden retained systems, retire or restrict low-value exposed surfaces, and improve how recurring scan results are dispositioned and validated.
Acceptance Criteria
GIVEN recurring low/medium web security findings across multiple environments
WHEN this epic is completed
THEN the highest-value retained findings have been addressed through linked remediation tickets
GIVEN multiple findings affect browser security behavior, headers, cookies, framing, transport, or error handling
WHEN linked work is completed
THEN retained systems have a more consistent baseline security posture
GIVEN some affected assets may be deprecated or no longer justify remediation effort
WHEN the affected systems are reviewed
THEN each relevant system is categorized as retain and harden, restrict, retire, or accept with rationale
GIVEN recurring findings may continue to appear until rescans are completed
WHEN linked remediation work is verified
THEN evidence and disposition notes are captured in the linked tickets
AND issues ready for validation/rescan are clearly identified
GIVEN this epic is being used to track a broader cleanup effort
WHEN future work is reviewed
THEN linked issues clearly indicate which findings they relate to, why they were opened, and what follow-up is required for validation and closure
Background
This epic tracks a broader security cleanup effort following recurring monthly scan findings across production and non-production systems.
The goal is to focus engineering effort on the most meaningful next steps after initial header and cookie hardening work, especially on retained systems, while also reducing long-term noise from systems that may be deprecated, restricted, or formally accepted.
This epic is intended to organize follow-on work such as:
Representative findings informing this epic include:
Reminder to future us:
Security Considerations (required)
This epic covers multiple web security hardening and vulnerability-management activities. Security considerations include:
Sketch
Assign to Sue when Done