Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Improvement] Clarifying the "Get Customer" requirement in Section 3.3.2 to make the logic clearer #27

Closed
shanecoughlan opened this issue Feb 21, 2023 · 2 comments
Closed

[Improvement] Clarifying the "Get Customer" requirement in Section 3.3.2 to make the logic clearer #27

shanecoughlan opened this issue Feb 21, 2023 · 2 comments

Comments

@shanecoughlan
Copy link
Contributor

Action

Changed "get Customer Agreement" to make it clearer and moved it into a more logical section of the workflow.

Old Language

(Please note this "old language" includes an improvement from Security Assurance Specification 1.1 that addresses the lack of a citation of "mitigation" in Section 3.3.2. You will find this improvement under this issue: #26
)

3.3.2 - Security Assurance

  • For each Open Source Software component in the bill of materials for the Supplied Software release under review;
  • Apply method for detecting existence of Known Vulnerabilities;
  • For each identified Known Vulnerability assign a risk/impact score;
  • For each detection and assigned score determine and document necessary remediation or mitigation steps suitable for the use-case of the software and get Customer Agreement at or above a previously determined level (i.e., all severity scores above 4.5 …);
  • Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
  • If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
  • An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.

New Language

3.3.2 - Security Assurance

  • For each Open Source Software component in the bill of materials for the Supplied Software release under review;
  • Apply method for detecting existence of Known Vulnerabilities;
  • For each identified Known Vulnerability assign a risk/impact score;
  • For each detection and assigned score determine and document necessary remediation or mitigation steps suitable for the use-case of the software
  • Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
  • Obtain Customer Agreement that the proposed resolution is acceptable if necessary;
  • If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
  • An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.

Rationale

The "get Customer Agreement" was too specific and it was in the wrong place in the workflow for easy reading.
shanecoughlan added a commit that referenced this issue Feb 21, 2023
@shanecoughlan
Changed "get Customer Agreement" to make it clearer and moved it into…
85133e2 
… a more logical section of the workflow.

The "get Customer Agreement" was too specific and it was in the wrong place in the workflow for easy reading.

Discussed on North America / Asia call 2023-02-21

See issue #27
@shanecoughlan shanecoughlan changed the title [Improvement] Clarifying the "Get Customer" requirement to make the logic clearer [Improvement] Clarifying the "Get Customer" requirement in Section 3.3.2 to make the logic clearer Feb 21, 2023
@shanecoughlan
Copy link
Contributor Author

This issue is being closed as complete (for now). You can reopen it at any time to add new comments, ideas or concerns.

@shanecoughlan
Copy link
Contributor Author

Further discussed on monthly North America / Europe call of 2023-03-07. Result was expanded wording of one line.

Changed:

Obtain Customer Agreement that the proposed resolution is acceptable if necessary;

To

obtain Customer Agreement that the proposed resolution is acceptable if necessary; at or above a previously determined level (i.e., all severity scores above 4.5 …).

Old Language

3.3.2 - Security Assurance

For each Open Source Software component in the bill of materials for the Supplied Software release under review;
Apply method for detecting existence of Known Vulnerabilities;
For each identified Known Vulnerability assign a risk/impact score;
For each detection and assigned score determine and document necessary remediation or mitigation steps suitable for the use-case of the software
Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
Obtain Customer Agreement that the proposed resolution is acceptable if necessary;
If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.

New Language

3.3.2 - Security Assurance

For each Open Source Software component in the bill of materials for the Supplied Software release under review;
Apply method for detecting existence of Known Vulnerabilities;
For each identified Known Vulnerability assign a risk/impact score;
For each detection and assigned score determine and document necessary remediation or mitigation steps suitable for the use-case of the software
Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
Obtain Customer Agreement that the proposed resolution is acceptable if necessary; at or above a previously determined level (i.e., all severity scores above 4.5 …).;
If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.

shanecoughlan added a commit that referenced this issue Mar 21, 2023
@shanecoughlan
Update openchain-security-specification-2.0.md
00ab0ea 
Updated as per
#27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shanecoughlan