Description
Background
The OpenSSF best-practices criterion “assurance_case” requires a documented body of evidence that:
• defines the project’s threat model
• identifies all trust boundaries
• argues how secure-design principles are applied
• shows how common implementation weaknesses (OWASP Top 10 / CWE Top 25) are mitigated
No such consolidated document currently exists.
⸻
Proposal
1. Add devdocs/assurance_case.md containing:
• Introduction & scope – what assets the provider must protect.
• Threat model – attacker goals, capabilities, and entry points (e.g., malicious Terraform configs, compromised Power Platform tenants, MITM).
• Trust-boundary diagram – Terraform CLI ↔ provider RPC ↔ Power Platform REST.
• Secure-design mapping – how least privilege, fail-safe defaults, complete mediation, etc., are satisfied.
• Weakness coverage – table mapping OWASP Top 10 / CWE Top 25 to concrete mitigations or inapplicability.
• Revision & ownership – how and when the assurance case will be updated.
2. Link the document from README.md and SECURITY.md.
3. CI gate (optional) – add a workflow step that fails if devdocs/assurance_case.md is missing or empty, ensuring the file stays in the repo.
⸻
Acceptance criteria
• devdocs/assurance_case.md merged with the four required sections.
• At least one diagram (embedded SVG or PNG) showing trust boundaries.
• Cross-links added in README.md and SECURITY.md.
• Document reviewed & approved by at least two maintainers with security label.
Creating this assurance case will satisfy the OpenSSF assurance_case requirement and give users a single, authoritative reference for the provider’s security posture.