[go: up one dir, main page]
Skip to content

Latest commit

 

History

History
 
 

assessments

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
guide
guide
 
 
projects
projects
 
 
README.md
README.md
 
 
intake-process.md
intake-process.md
 
 

README.md

Security Assessments

Goals

The security assessment process is designed to accelerate the adoption of cloud native technologies, based on the following goals and assumptions:

1) Reduce risk across the ecosystem

The primary goal is to reduce the risk from malicious attacks and accidental breaches of privacy. This process supports that goal in two ways:

  • Clear and consistent process for communication increases detection & reduces time to resolve known or suspected vulnerability issues
  • A collaborative evaluation process increases domain expertise within each participating project.

2) Accelerate adoption of cloud native technologies

Security reviews are a necessary, time intensive process. Each company, organization and project must perform its own reviews to ensure that it meets its unique commitments to its own users and stakeholders. In open source, simply finding security-related information can be overwhelmingly difficult and a time consuming part of the security review. The CNCF security assessment, hereafter "security assessment," process is intended to enable improved discovery of security information & assist in streamlining internal and external security reviews in multiple ways:

  • Consistent documentation reduces review time
  • Established baseline of security-relevant information reduces Q&A
  • Clear rubric for security profile enables organizations to align their risk profile with the project’s risk profile and effectively allocate resources (for review and needed project contribution)
  • Structured metadata allows for navigation, grouping and cross-linking

We expect that this process will raise awareness of how specific open source projects affect the security of a cloud native system; however, separate activities may be needed to achieve that purpose using materials generated by the assessements.

Outcome

Each project's security assessment shall include a description of:

  1. the project's design goals with respect to security
  2. any aspects of design and configuration that could introduce risk
  3. known limitations, such as expectations or assumptions that aspects of security, whole or in part, are to be handled by upstream or downstream dependencies or complementary software
  4. next steps toward increasing security of the project itself and/or increasing the applications of the project toward a more secure cloud native ecosystem

Due to the nature and timeframe for the analysis, this review is not meant to subsume the need for a professional security audit of the code. Audits of implementation-specific vulnerabilities, improper deployment configurations, etc. are not in scope of a security assessment. A security assessment is intended to uncover design flaws and to obtain a clear, comprehensive articulation of the project's design goals and aspirations while documenting the intended security properties enforced, fulfilled, or executed by said project.

Finalized assessments may be used by the community to assist in contextual evaluation of a project but are not an endorsement of the security of the project, not a security audit of the project, and do not relieve an individual or organization from performing due diligence and complying with laws, regulations, and policies.

Draft assessments contain unconfirmed content and are not endorsed as factual until committed to this repository, which requires detailed peer review. Draft assessments may also contain speculative content as the project lead or security reviewer is performing an evaluation. Draft assessments are only for the purpose of preparing final assessment and are not to be used in any other capacity by the community.

Final slides resulting from a project's security assessment will be stored in the individual project's assessment folder with supporting documentation from the assessment. These folders can be found under assessments/projects and clicking on the project name.

Process

The security assessment is a collaborative process for the benefit of the project and the community, where the primary content is generated by the project lead and revised based on feedback from security reviewers and other members of the SIG.

  • If you are interested in a security assessment for your project and you are willing to volunteer as project lead or you are a SIG-Security member and want to recommend a project to review, please file an issue

See security assessment guide for more details. To understand how we prioritize reviews, see intake process.