forked from cncf/tag-security
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix formatting, add a bit more explanation
- Loading branch information
1 parent
3887158
commit 875eb40
Showing
1 changed file
with
35 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,31 +1,46 @@ | ||
# Security Assessments | ||
|
||
The [security assessment process](guide) is designed to accelerate the adoption | ||
of cloud native technologies, based on the following assumptions: | ||
1. Reduce risk across the ecosystem | ||
A. Clear and consistent process for communication increases detection & | ||
## Goals | ||
The [security assessment process](guide) is designed to accelerate the adoption | ||
of cloud native technologies, based on the following goals and assumptions: | ||
|
||
### 1) Reduce risk across the ecosystem | ||
|
||
The primary goal is to reduce the risk from malicious attacks and accidental breaches of privacy. This process supports that goal in two ways: | ||
|
||
* Clear and consistent process for communication increases detection & | ||
reduces time to resolve known or suspected vulnerability issues | ||
B. A collaborative evaluation process increases domain expertise | ||
* A collaborative evaluation process increases domain expertise | ||
within each participating project. | ||
2. Accelerate adoption of cloud native technologies (via discovery of security information & streamlined security reviews) | ||
A. Consistent documentation reduces review time | ||
B. Established baseline of security-relevant information reduces Q&A | ||
C. Clear rubric for security profile enables organizations to align their | ||
risk profile with project’s risk profile and effectively allocate resources | ||
(for review and needed project contribution) | ||
D. Structured metadata allows for navigation, grouping and cross-linking | ||
|
||
## Goal | ||
The purpose of this effort is to reduce the risk of malicious attacks and | ||
accidental breaches of privacy by raising awareness of how specific open source | ||
projects affect the security of a cloud native system. | ||
|
||
### 2) Accelerate adoption of cloud native technologies | ||
|
||
Security reviews are a necessary, yet time consuming process, where each | ||
company, organization and project must perform its own reviews to ensure | ||
that it meets its unique commitments to its own users and stakeholders. | ||
In open source, simply finding security-related information can be a very | ||
time consuming part of the the process. The process is designed to enable improved discovery of security information & streamlined security reviews in multiple ways: | ||
|
||
* Consistent documentation reduces review time | ||
* Established baseline of security-relevant information reduces Q&A | ||
* Clear rubric for security profile enables organizations to align their | ||
risk profile with project’s risk profile and effectively allocate resources | ||
(for review and needed project contribution) | ||
* Structured metadata allows for navigation, grouping and cross-linking | ||
|
||
We expect that this process will raise awareness of how specific open source | ||
projects affect the security of a cloud native system; however, separate | ||
activities may be needed to achieve that purpose using materials generated by | ||
the assessements. | ||
|
||
## Outcome | ||
|
||
Each project assessment will: | ||
1. ensure a clear description of the project's design goals with respect to | ||
1. ensure a clear description of the project's design goals with respect to | ||
security | ||
2. uncover design flaws and document known limitations | ||
3. document next steps toward increasing security of the project itself and/or | ||
increasing the applications of the project toward increasing security of the | ||
3. document next steps toward increasing security of the project itself and/or | ||
increasing the applications of the project toward increasing security of the | ||
cloud native ecosystem | ||
|
||
|