-
Notifications
You must be signed in to change notification settings - Fork 507
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
7d4c9b0
commit 7b979b2
Showing
2 changed files
with
38 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Security Assessment Priorities & Pipeline Intake Process | ||
|
||
SIG-Security has a volunteer team of subject matter experts and industry professionals dedicated to helping SIG-Security members, the TOC, and the larger CNCF community maintain an understanding of the current state of security in the cloud native ecosystem and helping cloud native projects succeed. | ||
|
||
The following process describes how projects are prioritized for security assessments. | ||
|
||
# Authority | ||
|
||
* The [Security Assessment Facilitator](../governance/roles.md#security-assessment-facilitator) maintains the Assessment queue | ||
* A named chair provides oversight for the Security Assessment initiative. | ||
This chair can adjust queue, and is also responsible for conveying TOC | ||
instructions, when needed. (Sarah Allen is the current named Chair for Security Assessments.) | ||
|
||
# Pre-conditions | ||
|
||
* The project is either a CNCF project OR an assertion that the project is cloud native (any objection must be resolved before an assessment would be considered) | ||
* The project has identified a project lead and has a written self-assessment | ||
|
||
# Intake priorities | ||
|
||
1. TOC requests SIG-Security review a specific project or adjust priorities | ||
a. TOC request will not interrupt an ongoing assessment | ||
b. TOC requests may jump the prioritized queue of projects waiting for an assessment | ||
2. Projects that have received a CNCF Security Audit will be reviewed within a year of audit. | ||
3. CNCF Projects that request a review (or invited by SIG members). Prioritized by | ||
project majority (Graduated projects will be highest priority, then incubated projects, then sandbox.) | ||
4. Non-CNCF Projects that request a review (or invited by SIG members) | ||
|
||
## Updates and renewal | ||
|
||
The Security Assessment team will review assessed projects annually, | ||
focusing primarily on any issues or concerns raised in previous assessments, | ||
addressing new functionality that affects risk profile of the project, | ||
and any issue that may have been flagged about the project. |