[Assessment] SPIFFE/SPIRE

[evan2645]

Project Name: SPIFFE/SPIRE

Github URL: https://github.com/spiffe/spire

Security Provider: yes

• Identify team
  • Project security lead (Evan Gilman)
  • Lead Security Reviewer (Brandon Lum)
  • 1 or more additional reviewer(s) (Justin Cappos, Emily Fox)
  • Declaration of reading of security reviewer guidelines and declaration of conflits (by each reviewer)
  • Sign off by 2 chairs on reviewer conflicts (Justin Cappos in lieu of chairs who are preoccupied)
• Create slack channel (e.g. #sec-assess-projectname)
• Project lead provides draft document outline -- self-assessment
• "Dumb question phase" Lead Security Reviewer asks clarifying questions
• Initial review
• Presentation & discussion (Done on 26 Feb)
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name
• CNCF TOC presentation (if requested by TOC)

[lumjjb]

I am willing to volunteer be a security reviewer for this assessment, and am able to lead.

[JustinCappos]

Context: I did the "assessment" before for the project before there was a SIG-Security process. I'm happy to participate in this one as well and would be happy for Brandon to lead. :)

…

On Thu, Dec 12, 2019 at 4:01 PM Brandon Lum ***@***.***> wrote: I am willing to volunteer be a security reviewer for this assessment, and am able to lead. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#308>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGROD46TSIKBONHEQRNUPDQYKRCBANCNFSM4J2EII5Q> .

[lumjjb]

Link issue for previous assessment by @JustinCappos #97

[JustinCappos]

Here is the project's self assessment: https://docs.google.com/document/d/1PCTrSSpM62S8WLLocb7_UU4XtoHLROp-Q92ZpfLBgeA/edit

[lumjjb]

Conflict declaration: No conflicts with this project.

[JustinCappos]

No conflict from my side either. I like the folks there a lot, but it won't impact my objectivity in a security assessment. :)

[TheFoxAtWork]

Happy to help, No experience as lead assessor but will help anyway i can:

• No Conflicts
• Have read and agree to Security Reviewer

[JustinCappos]

@TheFoxAtWork volunteered as well!

[evan2645]

👋 hi everyone! Sorry I'm late to the party :)

I made some minor updates to the self assessment today, but nothing major - I think @anvega did a pretty thorough job (thanks Andres!!). We have removed the Draft label that previously appeared in the document name.

One thing that probably needs some attention is that the previous assessment (the results of which are in the self assessment) did not account for "Evil Server / Victim Server" attack vector. There may also be a modifier there of "Same Trust Domain" and "Different Trust Domain". I'm not sure if the old assessment methodology applies to the new process.

[JustinCappos]

One thing that probably needs some attention is that the previous assessment (the results of which are in the self assessment) did not account for "Evil Server / Victim Server" attack vector. There may also be a modifier there of "Same Trust Domain" and "Different Trust Domain". I'm not sure if the old assessment methodology applies to the new process.

We're doing a lighter process here (no collusion matrices for most projects). I think we might have still taken a few steps down this path here because the setup and trust relationships are fairly complex.

[lumjjb]

Here is the proposed schedule. How does this look like for all?

Jan 6-10: "Dumb questions phase"
(only project lead (and team) + lead security reviewer involved)

Jan 13 - 22: Security review phase - security reviewers add comments on the doc and conversation around edits to the doc continues
(project lead (and team) + all security reviewers)

Jan 22: Presentation to SIG-security meeting (MOVED to Feb 5)
(at least 1 representative from project team and security reviewers)

By Jan 24: Address all remaining comments, and finalize TOC summary (1 slide) (MOVED to Feb 7)

(To be scheduled) 1 slide sharing to the TOC

[JustinCappos]

I've read the reviewer guidelines.

[JustinCappos]

Here is the proposed schedule. How does this look like for all?

Jan 6-10: "Dumb questions phase"
(only project lead (and team) + lead security reviewer involved)

Jan 13 - 22: Security review phase - security reviewers add comments on the doc and conversation around edits to the doc continues
(project lead (and team) + all security reviewers)

Jan 22: Presentation to SIG-security meeting
(at least 1 representative from project team and security reviewers)

By Jan 24: Address all remaining comments, and finalize TOC summary (1 slide)

(To be scheduled) 1 slide sharing to the TOC

@evan2645 Does this timeline work for you?

[lumjjb]

I've read reviewer guidelines

[lumjjb]

@ultrasaurus @dshaw @pragashj require 2 co-chairs on reviewer conflicts

[lumjjb]

Note, as per discussion on slack, the initial "Dumb Question Phase" is not a full time commitment but more of an asynchronous process. I've allocated a bit of a buffer due to 18 hour timezone difference between myself and Evan, and my travel from SIN->SFO on 9-10 Jan.

[ultrasaurus]

@lumjjb it looks like there are no reviewer conflicts, so we don't need chair review -- or did I miss something?

[anvega]

@ultrasaurus Wording may need to be revised. We interpreted the checkbox item as 2 SIG-chairs asserting that there are no reviewer conflicts and not a signoff where a conflict exists.

[evan2645]

@JustinCappos Sure, I think that will work OK. I'm not traveling over the holiday season so am free to start whenever, but of course I understand that I'm probably the outlier :-D

One thing I will note is that I will probably be unavailable from Jan ~8-19th. I have spoken to @azdagron about this though, and he is willing to cover and help answer any questions in my absence as I'm not sure what my internet access will look like during that time. @azdagron is a SPIRE maintainer.

[lumjjb]

@evan2645 yep that is fine.

@TheFoxAtWork how does schedule look for you?

[TheFoxAtWork]

yep yep works for me @lumjjb

[JustinCappos]

@ultrasaurus @dshaw @pragashj Can we get the chair signoff so we can move this to completed?

I think this means that @TheFoxAtWork @lumjjb and me need to submit our conflict forms as well...

[JustinCappos]

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NOT REALLY. I performed a security audit / assessment of the project previously.
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

[anvega]

@JustinCappos It’s been some time since the assessment was merged. I heard mention of this during today's SIG-Security call. Is there anything needed to close this issue and mark it done?

[JustinCappos]

@JustinCappos It’s been some time since the assessment was merged. I heard mention of this during today's SIG-Security call. Is there anything needed to close this issue and mark it done?

I think we're just waiting on the administrative items below from the SIG-Security side. Let's give people a day or two, but it should be closed this week.

@ultrasaurus @dshaw @pragashj Can we get the chair signoff so we can move this to completed?

I think this means that @TheFoxAtWork @lumjjb and me need to submit our conflict forms as well...

[JustinCappos]

Okay, given the chairs are preoccupied. I'm signing off on the COI.

[kapilt]

The self-assessment doc here isn't accessible anymore

[lumjjb]

The assessment doc is now part of the repo as an .md file: https://github.com/cncf/sig-security/blob/master/assessments/projects/spiffe-spire/self-assessment.md