Update controls per CNSWPv2 updates #21
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JonZeolla
reviewed
Sep 2, 2022
| 192,SSCP v1.0,Securing the Source Code,Use SSH keys to provide developers access to source code repositories,,AC-1 REMOTE ACCESS,Moderate to High,Moderate to High | ||
| 193,SSCP v1.0,Securing the Source Code,Have a key rotation policy,"It is recommended to implement a key rotation policy to ensure that compromised keys will cease to be usable after a certain period of time. When a private key is known to have been compromised, it should be revoked and replaced immediately to shut off access for any unauthorized user. Organizations may also consider using short lived certificates or keys, which reduces the reliance on certificate revocation systems.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High | ||
| 194,SSCP v1.0,Securing the Source Code,Use short-lived/ephemeral credentials for machine/service access,"Short-life credential issuance encourages the use of fine grained permissions and automation in provisioning access tokens. For CI/CD pipeline agents, short-lived access tokens should be considered instead of password-based credentials. The use of very short-lived tokens like OAuth 2.0, OpenID Connect, etc., will help to implement more secure access and increase the security assurance.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High | ||
| 195,CNSWP v1.0,Develop,Implement secure configuration as the default state of the system,Transitioning towards such a system involves making security a design requirement, inheriting default security configuration and supporting an exception process,SA-8(23) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DEFAULTS,N/A,N/A |
There was a problem hiding this comment.
Should this, and the next 3, be CNSWP v2.0?
|
Is it a fair summary to say that there are only 3 additional controls in the CNSWP v2 vs v1? Meaning that CNSWP v2 is a true superset of v1 |
|
@pratiklotia please rebase on main |
|
@pratiklotia when you get a chance can you please give this PR some love? Thanks! |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
I created a new doc v1.1 to include the updates from CNSWPv2. I also added a changelog to indicate what has been added compared to v1.
Note to Reviewers
(1) For now, any new controls have been added at the end of the doc. While adding them in the respective locations would be recommended, I'm concerned that it leads to 'ID' being updated for all other controls and that would be difficult to keep a track/update dependent frameworks
(2) CNSWPv2 recommends several SSCP best practices as well as GitOps best practices which are already covered in SSCP controls. (check (3) & (4) in the changelog file). Do we think we should add each control separately again as a part of CNSWP or since it is covered in SSDP, it is fine?