Framework/Configurations/SVT/Services/BotService.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
  "FeatureName": "BotService",
  "Reference": "aka.ms/azsktcp/botservice",
  "IsMaintenanceMode": false,
  "Controls": [
    {
      "ControlID": "Azure_BotService_Enable_Required_Channels_Only",
      "Description": "Only specific/required channels must be configured to allow traffic to bot service.",
      "Id": "BotService110",
      "ControlSeverity": "High",
      "Automated": "Yes",
      "MethodName": "CheckBotConfiguredChannels",
      "Rationale": "Each channel enabled for the Bot exposes the bot to activity on that channel. If a channel that is not actually required is enabled for the bot, it introduces unnecessary avenues for attack.",
      "Recommendation": "Verify the configured channels and to add more supported channels refer: https://docs.microsoft.com/en-us/azure/bot-service/bot-service-manage-channels?view=azure-bot-service-3.0",
      "Tags": [
        "SDL",
        "TCP",
        "BotService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_BotService_DP_Encrypt_At_Rest",
      "Description": "Ensure to use own storage adapter instead of Bot Framework State Service API.",
      "Id": "BotService120",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Using this feature ensures that sensitive data is stored encrypted at rest. This minimizes the risk of data loss from physical theft and also helps meet regulatory compliance requirements.",
      "Recommendation": "Default behavior. No action required.",
      "Tags": [
        "SDL",
        "Information",
        "Manual",
        "BotService"
      ],
      "Enabled": true
    },
    {
      "ControlID": "Azure_BotService_DP_Protect_Secrets",
      "Description": "Secrets in Bot Service must be handled properly.",
      "Id": "BotService130",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Keeping secrets such as passwords, keys, etc. in clear text can lead to easy compromise at various avenues during an application's lifecycle.",
      "Recommendation": "It is recommended to handle the secrets properly.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "BotService"
      ],
      "Enabled": "true"
    },
    {
      "ControlID": "Azure_BotService_Audit_Enable_Monitoring",
      "Description": "Make sure important activities and events during Bot interactions are logged.",
      "Id": "BotService140",
      "ControlSeverity": "Medium",
      "Automated": "Yes",
      "MethodName": "CheckAIConfigured",
      "Rationale": "Analytics can be useful to detect unusual usage behavior patterns.",
      "Recommendation": "Follow https://docs.microsoft.com/en-us/azure/bot-service/bot-service-manage-analytics?view=azure-bot-service-3.0 for configuring Application Insight with Bot Service.",
      "Tags": [
        "SDL",
        "TCP",
        "BotService"
      ],
      "Enabled": "true"
    },
    {
      "ControlID": "Azure_BotService_DP_Dont_Allow_HTTP_Access",
      "Description": "Bot Service API must only be accessible over HTTPS",
      "Id": "BotService150",
      "ControlSeverity": "High",
      "Automated": "No",
      "MethodName": "",
      "Rationale": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
      "Recommendation": "Make Web App linked to Bot Service to use Https using command 'Set-AzResource -ResourceName '<WebAppName>' -ResourceGroupName '<RGName>' -ResourceType 'Microsoft.Web/sites' -Properties @{httpsOnly='true'} -Force '. Run 'Get-Help Set-AzResource -full' for more help.",
      "Tags": [
        "SDL",
        "TCP",
        "Manual",
        "BotService"
      ],
      "Enabled": true
    }
  ]
}