Closed Igor8mr closed 5 months ago
Name | Link |
---|---|
Latest commit | 0d1155dbf064dd4780b839745ff75bab6af36fef |
Latest deploy log | https://app.netlify.com/sites/tag-security/deploys/65a7ee270483c500084bd49c |
Hi there, and thanks for the hard work you put into creating this self-assessment!
We have plenty more to review on the PR, but as a starter I noticed that you have some notes written in assessments/projects/cloudevents/CE-maintainers-communications.md
. Could you move these notes to the PR description, comments, or remove them (as needed)?
The team joined the CloudEvents public team meeting on November 30th, 2023, which was recorded on YouTube.
Can we please not call this a "self-assessment" since this was not done by the CE project itself. I'm not suggesting anything is incorrect with the assessment but it's not accurate to imply that the CE team did it. This was done as a school project (at the request of their teacher) and while the CE team did look it over, it was done so just to make sure there weren't any superficial problems with it. If this is meant to be some kind of formal CNCF review/analysis then more work/review should be done so it can have a more official standing.
For the TAG-Security team... what's the purpose of these docs? What are they used for? Do they have any official standing within the CNCF? I've looked over https://github.com/cncf/tag-security/tree/main/assessments but what's not clear to me is why a project should create one of these docs if they've already done something like had a Trail of Bits review and added that analysis to their own docs.
Can we please not call this a "self-assessment" since this was not done by the CE project itself.
STAG Security Assessment Facilitator here.. I understand the potential for confusion. The name "self-assessment" was created back when we made the original process because it was actually done by the projects. The Security Pals process was added because some CNCF projects hadn't done their self assessments and these Pals are meant to help spur it along. I totally get where you're coming from, we will certainly consider this feedback.
I'm not suggesting anything is incorrect with the assessment but it's not accurate to imply that the CE team did it. This was done as a school project (at the request of their teacher) and while the CE team did look it over, it was done so just to make sure there weren't any superficial problems with it. If this is meant to be some kind of formal CNCF review/analysis then more work/review should be done so it can have a more official standing.
Yes, please do this! This is the goal!
For the TAG-Security team... what's the purpose of these docs? What are they used for? Do they have any official standing within the CNCF? I've looked over https://github.com/cncf/tag-security/tree/main/assessments but what's not clear to me is why a project should create one of these docs if they've already done something like had a Trail of Bits review and added that analysis to their own docs.
So they are part of the assessment process in the TAG Security repo ( https://github.com/cncf/tag-security/tree/main/assessments ). At different times the TOC has required / recommended these for projects. We have heard from end user adopters, etc. that they find these valuable in getting another perspective on a project. This is different than an audit from ToB, etc. which tends to be a more "point-in-time" security assessment of specific components of a project.
I'd be happy to discuss any of this process, etc. further either in a TAG Security meeting (I am usually on the Wednesday call), on the CNCF slack, or via a separate issue dedicated to revising the assessment process, etc. on the TAG Security issue tracker.
Thank you for your comments explaining the purpose of the project @JustinCappos! I would also be happy to discuss the assessment with you and the CloudEvents team on a call, on Slack, or here.
@duglin, please, feel free to add more comments here or on Slack with more suggestions for the assessment if you can. We want to represent the project in the most accurate way possible, so we are definitely open to your feedback. Thank you again for all the feedback you have given me so far.
So they are part of the assessment process in the TAG Security repo ( https://github.com/cncf/tag-security/tree/main/assessments ). At different times the TOC has required / recommended these for projects. We have heard from end user adopters, etc. that they find these valuable in getting another perspective on a project. This is different than an audit from ToB, etc. which tends to be a more "point-in-time" security assessment of specific components of a project.
Thanks but I'm not sure this really answers my question. TOB did a review from a security perspective and we include that in our repo. This PR doesn't introduce much (any?) new 'security' related information and actually spends most of its time talking about the project from a process or governance perspective. Not bad things but it feels a bit odd to be part of a "security" review document. Yes the TOB review is a point in time review, but so is this PR... or any assessment. I'm just trying to understand the impact/benefit of this piece of work when it feels like just about all of the info is already part of our repo (or should be as that's the source of truth for all things CE) so why duplicate it here, and are we then on the hook to keep it up to date since the minute the PR is merged it could be out of date?
Sorry if this sounds a bit like I'm pushing back, but I have a very strong negative reaction to things that feel like unnecessary bureaucracy - especially if it then requires an on-going commitment.
So they are part of the assessment process in the TAG Security repo ( https://github.com/cncf/tag-security/tree/main/assessments ). At different times the TOC has required / recommended these for projects. We have heard from end user adopters, etc. that they find these valuable in getting another perspective on a project. This is different than an audit from ToB, etc. which tends to be a more "point-in-time" security assessment of specific components of a project.
Thanks but I'm not sure this really answers my question. TOB did a review from a security perspective and we include that in our repo. This PR doesn't introduce much (any?) new 'security' related information and actually spends most of its time talking about the project from a process or governance perspective. Not bad things but it feels a bit odd to be part of a "security" review document. Yes the TOB review is a point in time review, but so is this PR... or any assessment. I'm just trying to understand the impact/benefit of this piece of work when it feels like just about all of the info is already part of our repo (or should be as that's the source of truth for all things CE) so why duplicate it here, and are we then on the hook to keep it up to date since the minute the PR is merged it could be out of date?
Sorry if this sounds a bit like I'm pushing back, but I have a very strong negative reaction to things that feel like unnecessary bureaucracy - especially if it then requires an on-going commitment.
Sure, feel free to hop into a TAG Security meeting or to raise an issue there to discuss.
I will say that your perspective has not been uncommon for folks at the beginning of the process. I invite you to talk about folks who completed it to get their perspective. Their candid feedback was that an assessment helped their project's security in a way that an audit did not.
Created and added the first draft of the CloudEvents Project Security Self-Assessment.
Please feel free to share your thoughts on the security self-assessment.