Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Sec Assess WG] Mapping Security Assessments to TOC Process #448

Closed
4 tasks
lumjjb opened this issue Oct 30, 2020 · 6 comments
Closed
4 tasks

[Sec Assess WG] Mapping Security Assessments to TOC Process #448

lumjjb opened this issue Oct 30, 2020 · 6 comments
Labels
assessment-process proposed improvements to security assessment process help wanted Extra attention is needed inactive No activity on issue/PR suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category

Comments

@lumjjb
Copy link
Collaborator

lumjjb commented Oct 30, 2020
edited
Loading

This issue was created from results of the Security Assessment Improvement Working Group (#167 (comment)).

Mapping Security Assessments to TOC Process

Premise

  • The security assessment aims to tie into the CNCF project process, but it is not clear how
  • There is no current agreed upon requirement for the process for what is asked of a SIG

Ideas

  • better document the Due Diligence process and document
  • Need more detail on when the SIG recommends for the next CNCF phase
  • not tie it too directly to TOC process
  • CNCF needs to explicitly define the requirement for projects at each level to go through assessment
  • Map security assessment process to process of CNCF
  • Are assessments necessary/mandated by the TOC to move from one stage to another ? We need to make projects realize it's in their interest to invest time in going through the assessment process.

Action Items

  • Create internal mapping of TOC mapping for SIG-Security (@lumjjb, @itaysk)
  • Propose a hard requirement for TOC process (looking at frequency/data of incubating/graduating projects)

Logistics

  • Contributors (For multiple contributors, 1 lead to coordinate)
  • SIG-Representative
@lumjjb lumjjb added help wanted Extra attention is needed assessment-process proposed improvements to security assessment process suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category labels Oct 30, 2020
@itaysk
Copy link
Contributor

itaysk commented Oct 31, 2020

@lumjjb I'm interested in this one

@lumjjb
Copy link
Collaborator Author

lumjjb commented Nov 2, 2020

Thanks @itaysk , going to wait till end of week to see who is anyone else wants to get involved and we can set up some time to discuss.

@JustinCappos
Copy link
Collaborator

Are assessments necessary/mandated by the TOC to move from one stage to another ? We need to make projects realize it's in their interest to invest time in going through the assessment process.

This has been politically tough in the past. We need to get TOC buy in so doing this in coordination with folks there is key.

@itaysk itaysk mentioned this issue Dec 21, 2020
Closed
@stale
Copy link

stale bot commented Jan 10, 2021

This issue has been automatically marked as inactive because it has not had recent activity.

@stale stale bot added the inactive No activity on issue/PR label Jan 10, 2021
@stale stale bot removed the inactive No activity on issue/PR label Jun 20, 2021
@stale
Copy link

stale bot commented Aug 21, 2021

This issue has been automatically marked as inactive because it has not had recent activity.

@stale stale bot added the inactive No activity on issue/PR label Aug 21, 2021
@anvega
Copy link
Collaborator

anvega commented Jun 20, 2023

While aspirational, something that lies on the TOC and not on the TAG to align on. Closing this out as the issue has been inactive for so long now.

@anvega anvega closed this as completed Jun 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
assessment-process proposed improvements to security assessment process help wanted Extra attention is needed inactive No activity on issue/PR suggestion New suggestion for the CNCF sig-security group that don't fall into an existing category
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JustinCappos @itaysk @lumjjb @anvega