[Sec Assess WG] Getting more reviewers for Security Assessments

[lumjjb]

This issue was created from results of the Security Assessment Improvement Working Group (https://github.com/cncf/sig-security/issues/167#issuecomment-714514142).

Getting more reviewers for Security Assessments

Premise

• Challenge of assembling a team for each review

Ideas

• what are the reasons that people want to participate? can we incentivize more?
  • Provide swag/recognition
  • For issues found they would get discount for courses and conferences
• actively reach out to past reviewers (This is currently done by co-chairs and TLs informally)
• Create a more concrete list of the expectations/requirements of a reviewer
• Find new ways to engage new reviewers including in-experienced ones
• Reach out to researchers to review the projects
• Recommend the CNCF provide training/skills to community members to be able to perform assessments and audits

Logistics

• [x] Contributors (For multiple contributors, 1 lead to coordinate)
  • @magnologan
  • Placeholder_2
• [x] SIG-Representative @lumjjb

[magnologan]

I'm interested!

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[magnologan]

Working on it! =)

[magnologan]

what are the reasons that people want to participate?

• Help the community
• Participate in an open source project
• Help share the security of Cloud Native applications
• Make an impact on the future of cloud infrastructure

can we incentivize more?

• Yes, better marketing on Security Forums and Lists would be good.
• Any swag or recognition such as a Hall of Fame of Contributors would be helpful

Provide swag/recognition

• Swag is great for this, anything from stickers, to keychains, mugs, shirts or hoodies.

For issues found they would get discount for courses and conference

Example:

• Critical Issue: 30% on any LF course
• High Issue: 20% on any LF course
• Medium Issue: 10% on any LF course
• Low Issue: 5% on any LF course

Actively reach out to past reviewers (This is currently done by co-chairs and TLs informally)

• Create a DL and maybe rank past reviewers based on the number of past reviews and number of issues found.

Create a more concrete list of the expectations/requirements of a reviewer Find new ways to engage new reviewers including inexperienced ones

• What needs to be checked?
• Do I need to review code? If so, what language?
• Common issues to look for
• Link to past reviews from similar projects
• Security Audit Review Checklist (series of basic security verifications that should be performed on all CNCF projects)

Reach out to researchers to review the projects

• Security companies that are interested in Cloud Native Security would probably be interested to help.

Recommend the CNCF provide training/skills to community members to be able to perform assessments and audits

• Create a short training on How to Perform Security Audit Reviews and assign it to 1st-time reviwers

[aspanner]

plus add a guide on how to sign up as a security auditor/participant and how to claim a work item as part of the short training video.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[MVrachev]

what are the reasons that people want to participate?

Plus learn new stuff during the assessment.

I think one question we want to answer do we consider the assessments as a learning opportunity too?

There is an old issue I created before https://github.com/cncf/sig-security/issues/256 about the need for a lower entry-level position in the assessments which will allow an inexperienced developer to learn during security assessments and eventually volunteer for security reviewers.

I added a new comment about why I think this would be useful here: https://github.com/cncf/sig-security/issues/256#issue-484537322

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[magnologan]

I've talked to @lumjjb before, and I'll submit a PR this week with the suggestions I've mentioned previously on this issue. Then, once they are accepted, we can close this one. Thanks!

[lumjjb]

Hey @magnologan ! How is this going? Any way that we can help out with this?

[magnologan]

Hi @lumjjb sorry, I missed this, since the isn't assigned to me I forgot to follow up here. I'll submit a PR this week with the suggestions above. Do you mind assigning this to me just to make sure I don't forget? Thank you!

[lumjjb]

Ok - assigned now :). Looking forward to the PR!

[lumjjb]

Checking back on this @magnologan

[apmarshall]

Adding myself to the project of turning Magno’s contributions here into a PR for the repo

[hyakuhei]

This is definitely something I can help with, I've also been working on a few (scrappy) tools that make threat modelling and security reviews code driven, git friendly and a bit more accessible. Will share more if there's interest.

[lumjjb]

Hi @hyakuhei , @apmarshall !

Just checking back on this!

[hyakuhei]

Still happy to help but a bit unclear on what the engagement model is; how do we arrange and conduct a review?

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[ashutosh-narkar]

The security facilitator role helps with the tasks outlined in this issue.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

Closing this out -- the onus of convocating reviewers lies on the tag leadership and the assessments facilitator.