Security Architecture

[sambacha]

Can MITRE's Attack Framework be used as a starting point for the assessment? That is what we have done https://www.dropbox.com/s/5reg815051aklyh/Cloud_Security.svg?dl=0 I attached an image if that link does not work for some reason

Additionally, an Incident Response Plan should be posted, here is a boilerplate based on meeting NY State's Fintech requirements that we made, just removed our plan specifics: https://gist.github.com/sambacha/7bed08cb05f97212a6b763d74d6ec491

[CannotContainMyself]

Hi @sambacha,

Yes using the MITRE Attack Framework is something I use frequently and we will be using it with our work here. I can address the including of an IR plan and what it looks like within the context of Baseline during our next Security SSC meeting.

[sambacha]

It's a pretty broad scope, I'm thinking perimeter objectives and internal configuration like "should concensus reaching nodes be exposed to public facing services" be more pertinent to the epic rather than "how to secure a container" , am I right in thinking along those lines? Should sticking to that sort of things rather than run of the mill security stuff would probably be more relevant, but I am hesitant to make that assumption as I don't know what level of experience this would be aimed for (the reader)

[sambacha]

I completely forgot to mention this, I have been keeping a threat matrix specific to token's here: https://github.com/freight-chain/defi-sec

It includes off-chain, if you want to go to the google sheet visit https://docs.google.com/spreadsheets/d/e/2PACX-1vR5UnBx4M9sg43fO76eWetena1L-4zo82lqsJuMR3uuZPe7luRnakG8jZPG0YbnSDtUOY5nVgSdwpc1/pubhtml, we would be happy to donate all this to baseline under whatever license

[danielnorkin]

@ebravick @sambacha @CannotContainMyself - as per the SSC call on 2/1/21 I'm checking on the status of this Epic. Let me know if you have any updates. If not, please close this Epic.