Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7b979b2
commit 1247460
Showing
1 changed file
with
28 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,34 +1,45 @@ | ||
| # Security Assessment Priorities & Pipeline Intake Process | ||
|
|
||
| SIG-Security has a volunteer team of subject matter experts and industry professionals dedicated to helping SIG-Security members, the TOC, and the larger CNCF community maintain an understanding of the current state of security in the cloud native ecosystem and helping cloud native projects succeed. | ||
| SIG-Security has a volunteer team of subject matter experts and industry | ||
| professionals dedicated to helping SIG-Security members, the TOC, and the larger | ||
| CNCF community maintain an understanding of the current state of security in the | ||
| cloud native ecosystem and helping cloud native projects succeed. | ||
|
|
||
| The following process describes how projects are prioritized for security assessments. | ||
| The following process describes how projects are prioritized for security | ||
| assessments. | ||
|
|
||
| # Authority | ||
|
|
||
| * The [Security Assessment Facilitator](../governance/roles.md#security-assessment-facilitator) maintains the Assessment queue | ||
| * A named chair provides oversight for the Security Assessment initiative. | ||
| This chair can adjust queue, and is also responsible for conveying TOC | ||
| instructions, when needed. (Sarah Allen is the current named Chair for Security Assessments.) | ||
| * The [Security Assessment | ||
| Facilitator](../governance/roles.md#security-assessment-facilitator) maintains | ||
| the Assessment queue | ||
| * A named chair provides oversight for the Security Assessment initiative. This | ||
| chair can adjust queue, and is also responsible for conveying TOC | ||
| instructions, when needed. (Sarah Allen is the current named Chair for | ||
| Security Assessments.) | ||
|
|
||
| # Pre-conditions | ||
|
|
||
| * The project is either a CNCF project OR an assertion that the project is cloud native (any objection must be resolved before an assessment would be considered) | ||
| * The project is either a CNCF project OR an assertion that the project is cloud | ||
| native (any objection must be resolved before an assessment would be | ||
| considered) | ||
| * The project has identified a project lead and has a written self-assessment | ||
|
|
||
| # Intake priorities | ||
|
|
||
| 1. TOC requests SIG-Security review a specific project or adjust priorities | ||
| a. TOC request will not interrupt an ongoing assessment | ||
| b. TOC requests may jump the prioritized queue of projects waiting for an assessment | ||
| 2. Projects that have received a CNCF Security Audit will be reviewed within a year of audit. | ||
| 3. CNCF Projects that request a review (or invited by SIG members). Prioritized by | ||
| project majority (Graduated projects will be highest priority, then incubated projects, then sandbox.) | ||
| 1. TOC requests SIG-Security review a specific project or adjust priorities a. | ||
| TOC request will not interrupt an ongoing assessment b. TOC requests may jump | ||
| the prioritized queue of projects waiting for an assessment | ||
| 2. Projects that have received a CNCF Security Audit will be reviewed within a | ||
| year of audit. | ||
| 3. CNCF Projects that request a review (or invited by SIG members). Prioritized | ||
| by project majority (Graduated projects will be highest priority, then | ||
| incubated projects, then sandbox.) | ||
| 4. Non-CNCF Projects that request a review (or invited by SIG members) | ||
|
|
||
| ## Updates and renewal | ||
|
|
||
| The Security Assessment team will review assessed projects annually, | ||
| focusing primarily on any issues or concerns raised in previous assessments, | ||
| addressing new functionality that affects risk profile of the project, | ||
| and any issue that may have been flagged about the project. | ||
| The Security Assessment team will review assessed projects annually, focusing | ||
| primarily on any issues or concerns raised in previous assessments, addressing | ||
| new functionality that affects risk profile of the project, and any issue that | ||
| may have been flagged about the project. |