[Suggestion] Perform hands-on security testing during security assessments

[Eriner]

Description

I suggest that hands-on light "pentesting" be performed during SIG-Security assessments. As an outsider who joined SIG-Security, this is what I had assumed was happening during a SIG-Security Assessment.

Discussed in SIG-Security call on June 10, 2020.

Impact

This will allow the assessment team to better understand the security posture of the project, identify areas of interest, gauge necessity for formal security assessment recommendation, etc. Ultimately, this culminates in the team's ability to better inform the TOC.

Scope

This task should consume no more time than a usual SIG-Security assessment, and could be run in parallel or during the latter phase of the assessment. Adding this "feature" should not impact assessment timelines. This is not a formal security assessment, and we should provide no additional guarantees.

Requirements

Before this could become a codified process, we would need a pool of at least three security engineers willing to contribute to the SIG-Security assessment through performing hands-on security reviews.

[jonathanwalker]

I am currently a practicing security engineer and willing to contribute to the SIG-Security assessment by performing hands-on security reviews. Happy to dedicate my time and effort to this initiative!

[krisctl]

I'll echo what @Eriner mentioned about the assumption around performing pentesting during SIG-Security assessment. I was also hoping for the same and think that this is the right direction to go. As a newbie to this sector, I would also like to see a clear direction on how a beginner can do this kind of pen testing exercise on a product submitted for security assessment.

[lumjjb]

Are there any pentesting equivalents of CI badges that we can use for projects? Ideally we'd want our assessments to be able to validate that a project has attained a level of security testing - whether it is through this process, or if they've gone through another set of audits that we would recognize.

[JustinCappos]

I am in general supportive of this. My only real concerns here are logistical. If we have the resources and can do this in a balanced way for all projects, then I'm 100% for it.

Any thoughts on how to achieve this?

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[MVrachev]

I like the idea, but there are a couple of questions that should be clarified. @JustinCappos hinted at some of them.

If we want to have a standardized process for a security assessment then we should discuss: is this possible to be included in all assessments? I suspect not, but does this mean we shouldn't do it for those projects where there are volunteers?

Is there a place for additional information beyond the standard security assessment @JustinCappos?

[JustinCappos]

Is there a place for additional information beyond the standard security assessment @JustinCappos https://github.com/JustinCappos?

Right now, we do track other information like security audits done by other parties or supplemental documents about security, so this seems like it could be added as well.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

A lot has been done over the years to improve the assessment process, although penetration testing has been largely excluded. There is a latent desire for something like a red team working group to carry out these efforts parallel to an assessment. As @JustinCappos points out, it begs for increased coordination and resourcing. Perhaps worth reframing as WG Red Team proposal to evaluate as such.

[anvega]

There is a renewed concerted effort around security reviews where proposals such as pals and threat modeling are converging into. Pentesting is currently not in scope but it is a stretch task that pals could perform in preparation of assessments as a report handed to project teams to aid in the production of their self-assessment.