[TSSA] OpenFGA

[lj365]

The team is now ready for a joint assessment.

Project Name: OpenFGA Github URL: https://github.com/openfga/openfga/blob/main/docs/security-self-assessment.md CNCF project stage: https://github.com/cncf/toc/pull/1276 (incubation) Security Provider: yes (e.g. Is the primary function of the project to support the security of an integrating system?)

• [x] Identify team
  • [x] Project security lead @lj365
  • [X] Lead security reviewer @sunstonesecure-robert
  • [X] 1 or more additional reviewer(s) @eddie-knight @ashutosh-narkar @krishnakv Observers: @wibarre
  • [X] Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • [X] Sign off by 2 chairs on reviewer conflicts
• [X] Create slack channel #sec-assess-openfga
• [x] Project lead provides draft document
• [x] "Naive question phase" Lead Security Reviewer asks clarifying questions
• [x] Assign issue to security reviewers
• [x] Initial review
• [x] Presentation & discussion
• [ ] Share draft findings with project
• [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• [ ] CNCF TOC presentation (if requested by TOC)

[JustinCappos]

Sorry, I missed this. There is a security review template such as the one used here: https://github.com/cncf/tag-security/issues/1079

Can you fill out an issue with this template? You can @ me or assign it to me and I'll get the rest going.

[lj365]

Sorry, I missed this. There is a security review template such as the one used here: #1079

Can you fill out an issue with this template? You can @ me or assign it to me and I'll get the rest going.

Issue updated. @JustinCappos

[eddie-knight]

I'll assist with this as needed

[JustinCappos]

@eddie-knight

Okay, please read the security reviewer guidelines and indicate if you have any conflicts.

[eddie-knight]

@JustinCappos thanks — no soft or hard conflicts of interest

[JustinCappos]

@mnm678 @ragashreeshekar @PushkarJ @sublimino @anvega Can you all please try to drum up volunteers in the weekly meetings? I'll do this as well, but will have some conflicts for the foreseeable future.

We need 2-3 more, including someone to volunteer as lead!

[ashutosh-narkar]

Happy to be an additional reviewer. No soft or hard conflicts of interest.

[wibarre]

I would like to participate as an observer. This would be my first engagement with a security assessment of an open source project. Please let me know how can I help. Thank you.

[JustinCappos]

@wibarre, okay great!

Please read the security reviewer guidelines and indicate if you have any conflicts.

[wibarre]

@JustinCappos I do not have soft or hard conflicts of interest.

[krishnakv]

@JustinCappos , would like to jump in as a reviewer, no hard or soft conflicts of interest. I don't see a slack channel yet, will watch out for it. :-)

[JustinCappos]

@eddie-knight Can I promote you to the lead? We need an assessment lead and I'm working on another assessment now. (I can provide guidance as is needed.)

[JustinCappos]

@JustinCappos , would like to jump in as a reviewer, no hard or soft conflicts of interest. I don't see a slack channel yet, will watch out for it. :-)

Thanks, I updated the issue. The lead will create one for the assessment.

[JustinCappos]

@eddie-knight Can I promote you to the lead? We need an assessment lead and I'm working on another assessment now. (I can provide guidance as is needed.)

or maybe @ashutosh-narkar would be more appropriate since @eddie-knight hasn't done a joint assessment before. Can you take this one as lead, @ashutosh-narkar ?

[ashutosh-narkar]

Can you take this one as lead, @ashutosh-narkar ?

Hey Justin, it would be best if I'm a reviewer for this one. Thanks.

[sunstonesecure-robert]

@JustinCappos @ashutosh-narkar I can volunteer as lead - since I have coincidentally been reviewing OpenFGA and have lead before (admittedly some time back so will need a nudge now and then on the new processes/formatting)

or maybe better to co-lead with @eddie-knight to facilitate more leads :)

AND have (re)reviewed the reviewer guidelines and specifically lead and have no conflicts

[JustinCappos]

@sunstonesecure-robert Okay, great! I think you're all set up!

(I did the chairs signoff for conflicts, because it is my understanding the assessment facilitator may do so.)

[eddie-knight]

@sunstonesecure-robert You can pull me in on every step! Thanks for volunteering!

[sunstonesecure-robert]

@sunstonesecure-robert You can pull me in on every step! Thanks for volunteering!

will do!

as such I think we are at this step and so since I see the draft document above in the checklist - I will review w/ @eddie-knight @ashutosh-narkar @krishnakv and @wibarre

from the process doc if @JustinCappos or whomever has the perms can:

Issue assigned to lead [security reviewer](https://github.com/cncf/tag-security/blob/main/assessments/guide/security-reviewer.md) 

I created a slack channel (or I think I did): #sec-assess-openfga For those I could not find in Slack - please forgive my lack of search fu and add yourself.

[JustinCappos]

Okay, I updated this.

@sunstonesecure-robert I think you should be able to edit the message at the top to add things like the slack channel name, etc. If not, let me know.

[sunstonesecure-robert]

If not, let me know.

I cannot. event after a refresh (though I can edit my own comments)

[JustinCappos]

Okay, please ask me to check the box, etc. as needed later. I would imagine that @ashutosh-narkar and (soon) @eddie-knight may also have the rights to do so.

[sunstonesecure-robert]

status update - kickoff call held 5/10/2024

[ashutosh-narkar]

Do we have a recording of the call?