fix formatting, add a bit more explanation

JustinCappos · Apr 12, 2019 · 875eb40 · 875eb40
1 parent 3887158
commit 875eb40
Showing 1 changed file with 35 additions and 20 deletions.
diff --git a/assessments/README.md b/assessments/README.md
@@ -1,31 +1,46 @@
 # Security Assessments
 
-The [security assessment process](guide) is designed to accelerate the adoption 
-of cloud native technologies, based on the following assumptions:
-1. Reduce risk across the ecosystem
-   A. Clear and consistent process for communication increases detection & 
+## Goals
+The [security assessment process](guide) is designed to accelerate the adoption
+of cloud native technologies, based on the following goals and assumptions:
+
+### 1) Reduce risk across the ecosystem
+
+The primary goal is to reduce the risk from malicious attacks and accidental breaches of privacy. This process supports that goal in two ways:
+
+   * Clear and consistent process for communication increases detection &
    reduces time to resolve known or suspected vulnerability issues
-   B. A collaborative evaluation process increases domain expertise 
+   * A collaborative evaluation process increases domain expertise
    within each participating project.
-2. Accelerate adoption of cloud native technologies (via discovery of security information & streamlined security reviews)
-   A. Consistent documentation reduces review time 
-   B. Established baseline of security-relevant information reduces Q&A
-   C. Clear rubric for security profile enables organizations to align their 
-   risk profile with project’s risk profile and effectively allocate resources 
-   (for review and needed project contribution)  
-   D. Structured metadata allows for navigation, grouping and cross-linking
-
-## Goal
-The purpose of this effort is to reduce the risk of malicious attacks and 
-accidental breaches of privacy by raising awareness of how specific open source 
-projects affect the security of a cloud native system.
+
+### 2) Accelerate adoption of cloud native technologies
+
+Security reviews are a necessary, yet time consuming process, where each
+company, organization and project must perform its own reviews to ensure
+that it meets its unique commitments to its own users and stakeholders.
+In open source, simply finding security-related information can be a very
+time consuming part of the the process. The process is designed to enable improved discovery of security information & streamlined security reviews in multiple ways:
+
+   * Consistent documentation reduces review time
+   * Established baseline of security-relevant information reduces Q&A
+   * Clear rubric for security profile enables organizations to align their
+   risk profile with project’s risk profile and effectively allocate resources
+   (for review and needed project contribution)
+   * Structured metadata allows for navigation, grouping and cross-linking
+
+We expect that this process will raise awareness of how specific open source
+projects affect the security of a cloud native system; however, separate
+activities may be needed to achieve that purpose using materials generated by
+the assessements.
+
+## Outcome
 
 Each project assessment will:
-1. ensure a clear description of the project's design goals with respect to 
+1. ensure a clear description of the project's design goals with respect to
 security
 2. uncover design flaws and document known limitations
-3. document next steps toward increasing security of the project itself and/or 
-increasing the applications of the project toward increasing security of the 
+3. document next steps toward increasing security of the project itself and/or
+increasing the applications of the project toward increasing security of the
 cloud native ecosystem