How does Cloud Service Certification maintain the security of the environment and the protection of the environment for open source consumers

[mcleo-d]

As raised on the Cloud Service Certification call on 30th January 2020 Ken D'Aura from The Hartford - Insurance Firm

Roadmap item : How does Cloud Service Certification maintain the security of the environment and the protection of the environment for open source consumers?

[git-hub-forwork1]

Since I was not in attendance for the meeting this question was posed I will have to assume the purpose. I assume the question is a supply chain question since this project would be the OSS portion of the equation. This project will have a peer review process to ensure the content created is functional (works as intended) and at least 2 members feel the content meets the control objective it was created for.
This is OSS and it should not be trusted completely. This is the purpose of the design of the artifacts as well. The intention to turn control implementations into code and provide the bdd test cases and the user stories is so consumers can rebuild this content themselves using the stories. The can verify the actions of the code actually do the tasks intended.
If I took this question the wrong way please do update me so I can respond more accurately.

[mcleo-d]

@peterrhysthomas - As a result of your contribution during the CSC call on 7th May, can you note the next steps for this item?

[peterrhysthomas]

I think we should add this to the documentation, this is a nice summary of the contribution process and also the guarantee/warrantee provisions of the software (effectively we are saying this is distributed without any guarantee and any users should perform their own due diligence).

[mcleo-d]

#52 raised to add the question and answer to the CSC wiki.