📚 Document a security threat modell for the secureCodeBox Project

[rseedorff]

As a secureCodeBox user i want to know more about the security aspects of the secureCodeBox itself. Therfore i would like to find a documented threat modell of the project which lists all known threats and countermeasures.

Topics which could be interesting therefore:

• security aspects of the underlying SCB architecture
• data flow and data processing within the SCB Operator and all components (storage, scanner, hooks)
• kubernetes security aspects like network security policies , pod security policies, security Context, ressource limits and namespace quota and their impact to the secureCodeBox
• authentication and authorization of used service accounts and their impact in multi tenancy clusters
• CICD security of the SCB Project (SDLC)

To give you an impression how such and threat modell can be documented here a good example from the OAUTH2 spec: https://tools.ietf.org/html/rfc6819

[Weltraumschaf]

This is a very old one, but important one IMO.

This is a good one for @fbelz and @fphoer to do their first own threat modeling. @malexmave what do you think?

[malexmave]

Might be an interesting option to try a TM run by them, yes. But would probably be end of July / beginning of August at the earliest, given the current workload.

[Weltraumschaf]

This issue is since over a year old, so IMO this is not a problem to wait some more months 😬

[Weltraumschaf]

Nothing done since 3 years. Not important enough.