Improve policy language consistency #139
Comments
|
Additional thought, and possibly should be a separate issue... Should there be ID numbers of some kind for each of these policies? See examples like the CIS benchmarks. Here's an example from a docker benchmark scanner that clearly maps to those rules/policies. https://github.com/dev-sec/cis-docker-benchmark/blob/master/controls/container_images.rb |
|
Thanks for your kind feedback @derekmurawsky! 🔥 Regarding the ID numbers, currently the policy names act as unique IDs, for what use case do you think unique ID numbers could be useful for? |
|
I found you through the OSSF Security Best Practices group. I'm a lurker/random contributor over there. 😄 I have a few philosophical issues with some of the policies you suggest, but I agree with the ones I've seen so far from a purely security perspective. (See previously linked comment for examples). RE: ID Numbers When referencing, it is much easier to reference a number, like RE: Re-Titling, I'll try to get a draft together this week. |
|
I worked on this a bit today and had a sample ready to push. |
This commit adopts the following in an attempt to provide clarity in policy titles and adopt some more standard RFC language. - Critical/High rules => Must - Medium/Low => Should Additionally, it updates some of the policy language to be more clear. Resolves: Legit-Labs#139 See Also: [RFC-2119](https://www.rfc-editor.org/rfc/rfc2119) See Also: [RFC-8174](https://www.rfc-editor.org/rfc/rfc8174)
|
Cool that you found us there 😄 RE: ID Number:: Good point. Reviewing your pull requests made it clear to me how important it is. I'll create an issue for adding policies id numbers. |
|
Another general note: I believe it would make sense to separate the higher-level policy ideas from the specific implementations. You've started doing this by having groups of policies for specific areas, but I think it would be good to formalize that from a docs/policy side as well. I have no idea how complicated that would be to implement technically, but I think it would make life much easier in the long run, especially around the OSSF stuff. Perhaps this is a separate issue as well? Examples in industry of what I call "The Policy Pyramid"
Examples: Policy Section: Default Branch Controls Policy Section: Global SCM Controls By taking this approach, you can be more DRY as well. You only write the reasoning for the policy once at a higher level and then link to it for your specific implementations. This could also affect your numbering in #141 so I thought it best to bring up now. There was a great example of this that I saw in one of the OPA-Related projects, but I can't find it off the cuff. I'll link it later if I can track it down. ETA: Not the one I was originally thinking of, but regula does a decent job of mapping their controls using metadata/tags. This would be a huge value-add to enterprise users. This example specifically links to the AWS CIS Benchmark. If you developed a policy, you could link the same way. And if you support generic tagging, you could link to industry standards as well. |
|
Just submitted the updates. Should be good to go now. |
* docs: Provide clarity in policy titles This commit adopts the following in an attempt to provide clarity in policy titles and adopt some more standard RFC language. - Critical/High rules => Must - Medium/Low => Should Additionally, it updates some of the policy language to be more clear. Resolves: #139 See Also: [RFC-2119](https://www.rfc-editor.org/rfc/rfc2119) See Also: [RFC-8174](https://www.rfc-editor.org/rfc/rfc8174) * fix: metadata yaml format issue Yaml is particular and needs spaces after colons. It can be hard to track this down when it's in a comment block. It's even more difficult when you are new to go and don't realize that the docstrings are pulled from the compiled code and not the source on disk. Whoops... * docs: Changed must to should Per the conversation in [this PR](#140 (comment)) I changed instanced of `must` to `should` as all of this advice is guidance that may be followed or not at the discretion of the implementation teams that use this tool. --------- Co-authored-by: noamd-legit <74864790+noamd-legit@users.noreply.github.com>
TL;DR
First off, fantastic tool. It's fast and I love to see something of this quality in the open source world.
However, I ran into an odd thing that could be a "bug", but is more likely a feature enhancement? Specifically, the policy title language used is not consistent and that leads to confusion when looking at the results in tabular form.
Examples:
I would suggest changing the policy titles to be affirmative or negative, and then make the test results clearly align to them throughout all your policy titles. This would greatly aid in clarity.
Example:
Also note, in my previous language there is a case to be made that "should" be changed to "must" if you want to conform with policy and standards language like RFC 2119 / 8174 / etc
Again, I love the idea of this tool and am really impressed with what you have done already. It's very useful. Just noticed this oddity and it made me a few other folks on my team go "huh?" so I thought I would share. Thanks again for a great tool, and I look forward to seeing where it goes. :)
Detailed design
No response
Additional information
Yes, this is pedantic. I do think it's important, though. I'm happy to help with suggested edits, but didn't want to do so unless there was appetite for it.
The text was updated successfully, but these errors were encountered: