[Sec Assess WG] Time and Effort of Security Assessments

[lumjjb]

This issue was created from results of the Security Assessment Improvement Working Group (https://github.com/cncf/sig-security/issues/167#issuecomment-714514142).

Time and Effort of Security Assessments

Premise

• The result time span of assessments tend to stretch
• There is little awareness or lack of clarity of the current scheduling aspects of assessments
• Fairly time consuming on project side - barrier for project without strong corp sponsorship

Ideas

• Assessments tend to drag on over >2-3 weeks
• Assesment timeline should be capped, or with a hard time limit
• Give recommendations of word length for sections
• Part of the review should be automated
• It makes it easy for people to report issues
• Templates for project and reviewers

Additional Context:

• https://github.com/cncf/sig-security/tree/master/assessments/guide
• https://github.com/cncf/sig-security/blob/master/assessments/guide/security-reviewer.md#time-and-effort
• https://github.com/cncf/sig-security/blob/master/assessments/guide/project-lead.md#time-and-effort

Logistics

• [ ] Contributors (For multiple contributors, 1 lead to coordinate)
  • Placeholder_1
  • Placeholder_2
• [ ] SIG-Representative

[magnologan]

I'm interested!

[JustinCappos]

This is hard because it isn't clear when a security assessment is really "done". It's not like being asked to write a 3 page essay, it's like a mathematical proof where a bug or problem may end up going down a long rabbit hole of explanations / fixes. Possibly a more rigorous threat modeling step up front would help, but this would be unevenly applied (unless done by a central group) and difficult to do well.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

Closing this out based on Justin's comment above. While aspirational, it is practically unfeasible.