Closed SgtCoDFish closed 2 weeks ago
Hi @SgtCoDFish, sounds great!
EMEA meetings are currently free for the next few weeks, please choose a time in the meeting document.
As part of the graduation in https://github.com/cncf/toc/issues/1306 we can support you in the Document Security Self-Assessment
phase, and walk through a self-assessment doc based on this template and this process.
The cert-manager incubation due diligence document from a couple of years ago might be useful as a baseline to support the graduation documents too. Any questions please ask, we're here to help :pray:
Thanks very much for the quick reply 😁
I've put us in for 2024-05-22 and we'll prepare for then!
As part of the graduation in https://github.com/cncf/toc/issues/1306 we can support you in the Document Security Self-Assessment phase, and walk through a self-assessment doc based on this template and this process.
That sounds great, thank you for pointing to that because I'd been meaning to investigate it! I guess there's nothing stopping us getting started with the self-assessment now (before the 22nd), right?
That sounds great, thank you for pointing to that because I'd been meaning to investigate it! I guess there's nothing stopping us getting started with the self-assessment now (before the 22nd), right?
Absolutely! And if you share the doc link for public comment we can support async before the 22nd too 🙏
Hey, here is the self-assessment doc: https://hackmd.io/_e-m6hnzRzqsosUv3aG60A?view. I'm struggling and need help with the subsections "Actors" and "Actions". Are the actors the same as in the security audit report: cert-manager contributors, untrusted users outside of cluster, limited privilege cluster users, cert-manager maintainers, third-party contributors, third-party maintainers? Let me know if you are available on the Kubernetes Slack.
hi @maelvls , thanks for sharing the self-assessment doc.
The self-assessment guide describes actors as "the individual parts of your system that interact to provide the desired functionality", so I would consider them as the different components of cert-manager rather than the threat actors. Actions then should delineate which interactions exist between the actors.
I am available on the CNCF Slack
Thanks for having us on the EMEA meeting today!
I'm taking away the following actions:
I'll comment on this issue when I've done those. I'll also update the graduation application to reflect the meeting and self assessment!
Here's the Google doc for our self-assesment - the above HackMD can now be ignored!
https://docs.google.com/document/d/1Sl1SqYbPSbBMoZroBU8M1dMw5DN-uUgoR1KLHoo5tr0/edit?usp=sharing
Anyone should be able to comment on it - any problems, let me know!
Here's the Google doc for our self-assesment - the above HackMD can now be ignored!
https://docs.google.com/document/d/1Sl1SqYbPSbBMoZroBU8M1dMw5DN-uUgoR1KLHoo5tr0/edit?usp=sharing
Anyone should be able to comment on it - any problems, let me know!
Thanks for the quick update, I appreciate the effort! This makes it easy for interested TAG volunteers to provide feedback directly to the maintainers. I will have a look at the document myself in the next couple of days and hopefully provide any input or ask for clarifications.
@SgtCoDFish thanks for the feedback on the self-assessment doc, I'm done with my review :)
Once you are happy with the revised document, please feel free to raise a PR to this repository to include the self-assessment doc in Markdown format to the /assessments/projects/
folder as described in the guide.
Thanks very much! I'll try to raise a PR soon 👍
I raised the PR here: https://github.com/cncf/tag-security/pull/1269
Sorry it took a while, it's been a busy time!
The self assessment is now merged so I think this issue is completed. Thanks to everyone involved! 🚀
Title: cert-manager Graudation Overview
Speakers:
Other attendees from the cert-manager project:
Description: An overview of what cert-manager is and does, mostly with the aim of facilitating connections, questions and input from tag-security. Related to (and required by) cert-manager's Graduation Application.
Time: 10 mins, with extra time after for questions if required.
Availability: European timezones preferred!
Checklist: