From 78c626d31cdee8f8efd8c805df797228e3bf1966 Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Wed, 27 Nov 2024 09:06:34 -0500 Subject: [PATCH 1/7] Work to fix outdated assessment document Signed-off-by: Justin Cappos --- community/assessments/guide/README.md | 91 ++++++++++++--------------- 1 file changed, 40 insertions(+), 51 deletions(-) diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index f87ad5cbb..d464ffef0 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -35,10 +35,12 @@ and advance through the CNCF. The below section breaks the creation of the package into steps that mirror the [current TOC process stages](https://github.com/cncf/toc/tree/main/process). -### New projects +### Abbreviated project assessment -New projects are projects generally defined as very early on in their maturity. -They may have an innovators pool of users. +Projects which are very early on in their maturity may use a short process to +get some initial feedback by documenting their threat model and security design. +They use an abbreviated process which does not result in a joint assessment or a +detailed review by TAG Security. Note: Responsible roles for specific items are in **bold** @@ -46,7 +48,7 @@ Note: Responsible roles for specific items are in **bold** The self-assessment provides projects with the opportunity to examine the existing security provisions of the project. It can serve as their initial -security documentation for users. +security documentation for users. #### Create a [presentation issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation&template=presentation.md&title=%5BPresentation%5D+Presentation+Title) @@ -56,7 +58,7 @@ lead** submit the issue as the primary point of contact (POC). #### Present the project and self-assessment -Be sure to add the presentation to proposed agenda topics in the [meeting +To get rough feedback, please add the presentation to proposed agenda topics in the [meeting notes](https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/) and include the POC or **project lead**. The community may provide feedback on the self-assessment or ask questions about the project. Include anything you @@ -69,10 +71,10 @@ PR, citing the presentation issue number to add the self-assessment to [assessments/projects](/community/assessments/projects) under its own folder. The ticket may then be closed after merged in. -### Growing projects +### More detailed project assessment -Growing projects are likely to have early adopters, having gone beyond -innovators as their sole user base. +A more mature project will likely want a more complete and comprehensive assessment +of the project's security. Note: Responsible roles for specific items are in **bold**. If an incubation project did not complete a self-assessment during sandbox, they are recommended @@ -92,25 +94,24 @@ Facilitator**](https://github.com/cncf/tag-security/blob/main/governance/roles.m determine if the project is ready for joint-assessment. If ready, a channel will be created to coordinate the activities. -#### Project leverages self-assessment to draft [joint assessment](joint-assessment.md) +#### Project creates a self-assessment -The project uses the self-assessment created from the sandbox phase to draft the -joint assessment. The joint assessment expands upon content of the self-assessment and -provides the **reviewers** with a central starting point in assessing the -current security stature of the project. +As is listed in the above section, the project should create a self-assessment. +This should be created as a google doc to make it easier for the TAG Security +members to edit and comment upon. -#### Project provides the joint assessment and reviewers are assigned +#### Project provides the self assessment and reviewers are assigned The project provides the reviewers with security relevant information about - their project. The joint assessment can include links to external documents and + their project. The self assessment can include links to external documents and sources within the project's repository or website to provide additional details or reference where a process is kept. -* **[Project lead](project-lead.md)** responds to the issue with draft document - (see [joint assessment](joint-assessment.md)) +* **[Project lead](project-lead.md)** responds to the issue with draft + self assessment * Issue assigned to **lead [security reviewer](security-reviewer.md)** who will - recruit at least one additional reviewer, if one is not already assigned, -and facilitate the process. + recruit at least two additional reviewers, if one is not already assigned. + The security assessment facilitator will also likely help in this task. #### Conflict of interest statement and review @@ -152,33 +153,34 @@ prior to the *3 week* time frame for a TSSA. * **Lead security reviewer or their designee** will perform an initial, clarifying assessment to: * Verify completeness - * Ask for clarifications + * Ask for clarifications * Ensure terms are defined * Ensure concepts introduced are explained with context * Provide quick feedback -#### Security assessment with optional hands-on assessment +**Imporantantly, comments on the document should be addressed in the document text, as +the comments will be lost when the document is later converted to markdown.** + +#### Security assessment The TSSA process provides time for the security reviewers and the project to address security and technical details associated with the project. Information -created or received out of the assessment is leveraged in finalizing the joint +created or received out of the assessment is leveraged in finalizing the self assessment and creating the project's TSSA package in the README file. -If the security reviewers include individuals capable of performing a hands-on -assessment, the hands-on assessment is included in this step. - * **Project** posts their document to the project security assessment channel, allowing at least one week for review prior to Q&A -* **Security reviewers** review the joint-assessment document, links, and other +* **Security reviewers** review the self-assessment document, links, and other materials provided by the project and provide comments and questions * It is highly recommended that security reviewers familiarize themselves with the project's repo and docs if available * **Security reviewers and project lead/POCs** ensure all reviewer questions, - comments, and feedback are addressed and finalize the joint assessment -* **Lead security reviewer or their designee,** with the assistance of the -**security reviewers** create a [draft summary - document](joint-readme-template.md) to capture existing comments, feedback, - and recommendations prior to the presentation. + comments, and feedback are addressed and finalize the self assessment. + The project has final edit discretion on the self assessment document. +* **The assessment team meets and presents their recommendations to the project** + in the form of a draft joint assessment. The project and assessment team + work together to augment and improve this document, with the assessor having + final edit discretion. #### Presentation @@ -190,26 +192,13 @@ questions and feedback to the reviewers and project. * Presentation is recorded as part of standard TAG process * Presentation slides are linked in the /assessments/projects/project-name/ -#### Final summary - -The final summary provides a cursory assessment of the project, background, summary -of the joint assessment, and recommendations to the CNCF, the project, and other -recommendations of note. The final summary should also list the version or -release the joint assessment covered to better enable tracking for updates of the -TSSA package. - -* **Lead security reviewer** creates a branch labeled WIP and provides branch - information to additional reviewers. -* **Lead security reviewer** places the [summary](joint-readme-template.md) into - branch for finalization -* **Reviewers** either comment or provide changes (feedback and recommendations) - to the branch given and submit PR -* Either **project lead or reviewers** may request further WG discussion -* **Project lead** prepares a PR to /assessments/projects/project-name/ when all - comments, feedback, and recommendations are incorporated for the joint -assessment and presentation slides. -* PR approval of at least 1 **co-chair**, alongside other **reviewers'** -approvals, is required before merging any artifacts. +The assessment team also should give a quick rundown of the assessment recommendations. + +#### Final artefacts which are committed + +The self assessment and joint assessment are added to the repository under a +directory named for the project name. The issue may then be closed and the PR +merged. #### [Post-assessment survey](review-survey.md) From ca77d15fb2fae9c6646ac55acf3fbd7e12cd3c67 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 27 Nov 2024 21:10:15 +0100 Subject: [PATCH 2/7] fix(assessments/guide): linting, spelling, links Signed-off-by: Marco De Benedictis --- community/assessments/guide/README.md | 30 +++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index d464ffef0..e895043c4 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -6,20 +6,20 @@ should be assessed during a TAG-Security Security Assessment (TSSA). * [Roles](#roles) * [TSSA package steps](#tssa-package-steps) - * [New projects](#new-projects) + * [Abbreviated project assessment](#abbreviated-project-assessment) 1. [Self-assessment](#complete-a-self-assessment) 2. [Create issue](#create-a-presentation-issue) 3. [Present](#present-the-project-and-self-assessment) 4. [Submit PR](#submit-a-pr-to-include-the-self-assessment-in-the-repo) - * [Growing projects](#growing-projects) + * [More detailed project assessment](#more-detailed-project-assessment) 1. [Create issue](#create-tracking-issue) - 2. [Draft joint assessment](#project-provides-the-joint-assessment-and-reviewers-are-assigned) - 3. [Reviewers assigned](#project-provides) + 2. [Self-assessment](#project-creates-a-self-assessment) + 3. [Reviewers assigned](#project-provides-the-self-assessment-and-reviewers-are-assigned) 4. [Conflict of interest](#conflict-of-interest-statement-and-review) 5. [Clarifying questions](#clarifying-questions-phase) - 6. [Assessment](#security-assessment-with-optional-hands-on-assessment) + 6. [Assessment](#security-assessment) 7. [Presentation](#presentation) - 8. [Final summary](#final-summary) + 8. [Final artifacts](#final-artifacts-which-are-committed) 9. [Survey](#post-assessment-survey) * [Additional process notes](#additional-process-notes) @@ -37,9 +37,9 @@ stages](https://github.com/cncf/toc/tree/main/process). ### Abbreviated project assessment -Projects which are very early on in their maturity may use a short process to +Projects which are very early on in their maturity may use a short process to get some initial feedback by documenting their threat model and security design. -They use an abbreviated process which does not result in a joint assessment or a +They use an abbreviated process which does not result in a joint assessment or a detailed review by TAG Security. Note: Responsible roles for specific items are in **bold** @@ -48,7 +48,7 @@ Note: Responsible roles for specific items are in **bold** The self-assessment provides projects with the opportunity to examine the existing security provisions of the project. It can serve as their initial -security documentation for users. +security documentation for users. #### Create a [presentation issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation&template=presentation.md&title=%5BPresentation%5D+Presentation+Title) @@ -97,7 +97,7 @@ created to coordinate the activities. #### Project creates a self-assessment As is listed in the above section, the project should create a self-assessment. -This should be created as a google doc to make it easier for the TAG Security +This should be created as a google doc to make it easier for the TAG Security members to edit and comment upon. #### Project provides the self assessment and reviewers are assigned @@ -153,12 +153,12 @@ prior to the *3 week* time frame for a TSSA. * **Lead security reviewer or their designee** will perform an initial, clarifying assessment to: * Verify completeness - * Ask for clarifications + * Ask for clarification * Ensure terms are defined * Ensure concepts introduced are explained with context * Provide quick feedback -**Imporantantly, comments on the document should be addressed in the document text, as +**Importantly, comments on the document should be addressed in the document text, as the comments will be lost when the document is later converted to markdown.** #### Security assessment @@ -194,10 +194,10 @@ questions and feedback to the reviewers and project. The assessment team also should give a quick rundown of the assessment recommendations. -#### Final artefacts which are committed +#### Final artifacts which are committed -The self assessment and joint assessment are added to the repository under a -directory named for the project name. The issue may then be closed and the PR +The self assessment and joint assessment are added to the repository under a +directory named for the project name. The issue may then be closed and the PR merged. #### [Post-assessment survey](review-survey.md) From 87275651218c3a21690ff0624ffa67c3a301ddb1 Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 27 Nov 2024 21:15:09 +0100 Subject: [PATCH 3/7] ci: add TSSA to known words Signed-off-by: Marco De Benedictis --- ci/spelling-config.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ci/spelling-config.json b/ci/spelling-config.json index 08ea92bc8..83c24c6a4 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -190,6 +190,7 @@ "triaging", "trojanized", "trufflehog", + "TSSA", "TTPS", "Twintag", "unencrypted", From f8d159942049416e185107b5800903305c968e0c Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Wed, 27 Nov 2024 21:20:24 +0100 Subject: [PATCH 4/7] fix(assessments/guide): heading links Signed-off-by: Marco De Benedictis --- community/assessments/guide/README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index e895043c4..6f69ec2cc 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -44,17 +44,17 @@ detailed review by TAG Security. Note: Responsible roles for specific items are in **bold** -#### Complete a [self-assessment](self-assessment.md) +#### Complete a self-assessment -The self-assessment provides projects with the opportunity to examine the +The [self-assessment](self-assessment.md) provides projects with the opportunity to examine the existing security provisions of the project. It can serve as their initial security documentation for users. -#### Create a [presentation issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation&template=presentation.md&title=%5BPresentation%5D+Presentation+Title) +#### Create a presentation issue This presentation should go over the self-assessment and provide TAG-Security with an initial understanding of the project. It is recommended the **project -lead** submit the issue as the primary point of contact (POC). +lead** submit the [presentation issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation&template=presentation.md&title=%5BPresentation%5D+Presentation+Title) as the primary point of contact (POC). #### Present the project and self-assessment @@ -80,9 +80,9 @@ Note: Responsible roles for specific items are in **bold**. If an incubation project did not complete a self-assessment during sandbox, they are recommended to start with the self-assessment before pursing joint assessment. -#### [Create tracking issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=triage-required&template=joint-assessment.md&title=%5BTSSA%5D+Project+Name) +#### Create tracking issue -The tracking issue serves to initiate the joint-assessments. It provides an initial +The [tracking issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=triage-required&template=joint-assessment.md&title=%5BTSSA%5D+Project+Name) serves to initiate the joint-assessments. It provides an initial set of information to assist TAG-Security in prioritizing the joint assessment as well as provide potential reviewers with a central location to manage the effort. @@ -200,9 +200,9 @@ The self assessment and joint assessment are added to the repository under a directory named for the project name. The issue may then be closed and the PR merged. -#### [Post-assessment survey](review-survey.md) +#### Post-assessment survey -The should be completed by the **reviewers**, **project lead**, and other +The [post-assessment survey](review-survey.md) should be completed by the **reviewers**, **project lead**, and other members of the TSSA. Once complete the survey may be shared directly to the Security Assessment Facilitator, technical leads, and co-chairs or be part of the PR into the /assessments/projects/project-name folder. From 62d0acfa43c49d73ee368d325e8ef0880740c37c Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Wed, 27 Nov 2024 16:13:07 -0500 Subject: [PATCH 5/7] Update community/assessments/guide/README.md Co-authored-by: Marco De Benedictis Signed-off-by: Justin Cappos --- community/assessments/guide/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index 6f69ec2cc..17f1622df 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -190,7 +190,7 @@ questions and feedback to the reviewers and project. * Project lead presents to TAG during TAG meeting * Presentation is recorded as part of standard TAG process -* Presentation slides are linked in the /assessments/projects/project-name/ +* Presentation slides are linked in the /community/assessments/projects/project-name/ folder The assessment team also should give a quick rundown of the assessment recommendations. From c341fb3d98be2f294aa47a6e68a428863bfabdb0 Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Wed, 27 Nov 2024 16:15:09 -0500 Subject: [PATCH 6/7] Update community/assessments/guide/README.md Signed-off-by: Justin Cappos --- community/assessments/guide/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index 17f1622df..8b81f6493 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -71,7 +71,7 @@ PR, citing the presentation issue number to add the self-assessment to [assessments/projects](/community/assessments/projects) under its own folder. The ticket may then be closed after merged in. -### More detailed project assessment +### Joint assessment A more mature project will likely want a more complete and comprehensive assessment of the project's security. From 7a3d5f4bab4366d84963444941352760e2b5cd4e Mon Sep 17 00:00:00 2001 From: Marco De Benedictis Date: Thu, 28 Nov 2024 09:26:28 +0100 Subject: [PATCH 7/7] fix(assessments/guide): heading link Signed-off-by: Marco De Benedictis --- community/assessments/guide/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index 8b81f6493..b3d2579cb 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -11,7 +11,7 @@ should be assessed during a TAG-Security Security Assessment (TSSA). 2. [Create issue](#create-a-presentation-issue) 3. [Present](#present-the-project-and-self-assessment) 4. [Submit PR](#submit-a-pr-to-include-the-self-assessment-in-the-repo) - * [More detailed project assessment](#more-detailed-project-assessment) + * [Joint assessment](#joint-assessment) 1. [Create issue](#create-tracking-issue) 2. [Self-assessment](#project-creates-a-self-assessment) 3. [Reviewers assigned](#project-provides-the-self-assessment-and-reviewers-are-assigned)