TheFoxAtWork
commented
1 month ago Thanks @mrbobbytables for creating this.
As we've been exploring the #1277 Security DTR, we talked a little about the differences between Self-Assessment, Joint-assessment, and Security Audit. Its not the first time these questions have come up, so we're not doing a good job surfacing these to projects.
With the recent criteria changes for moving levels, Self-assessments are required for Incubation level. Joint -assessments are not because we did not want to impose a moving levels requirement that was contingent upon the availability and expertise of community members to participate. However in the years since the Security Assessments were created by TAG Security, we've found projects that complete a self-assessment and joint-assessment have more robust security considerations that directly benefit them during the audit. Feedback we've received from organizations conducting security audits on projects with a self-assessment and joint-assessment allow the Audit to be conducted faster, reducing the volume of information discovery required to get started, as much of the background detail was presented in both of those documents.
What suggestions do people have for making this more clear or at least increasing the awareness of these benefits?
The security assessments were originally thought of as a "package" with each assessment building on the previous one with the idea that they make the following assessments easier/faster to complete. This is MUCH more important for the eventual security audit and speeding up that process.
The fact that they are intended to speed up the later processes isn't surfaced well, and more projects might be more inclined to do them / think about them further if they knew that it'd make things easier for them to get through the later processes.
cc @TheFoxAtWork