You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue tracks the PW SSDF items and will also contain more detail for them:
Work that addresses these items can reference this epic issue.
PW.1.1: Use forms of risk modeling, such as threat modeling, attack modeling, or attack surface mapping, to help assess the security risks for Adoptium
PW.1.3: Use standardized security features and services instead of creating proprietary implementations
PW.2.1: Review the security architecture
PW.4.1: Acquire and maintain well-secured software components
Adoptium will maintain process documentation detailing the source of all upstream source code and binary artifacts (including but not limited to: components, packages, containers, flatpacks, ISO's, VM images etc.).
Adoptium will maintain process documentation on if / how the upstream source code and binary artifacts are actively maintained by the upstream community, which should include remediation of new vulnerabilities. If these materials are NOT actively maintained upstream it is the offering team’s responsibility to remediate security vulnerabilities, and process documentation of this remediation plan must be maintained.
PW.4.2: Create and maintain well-secured software components
PW.5.1: Follow secure coding practices that are appropriate to the development languages and environment
Adoptium will curate and maintain reference material pertaining to secure coding guidelines relevant to Adoptium contributions. This material will be readily available to all contributors and reviewed regularly for relevance
PW.6.1: Use securely configured compilers and build tools
Adoptium will maintain process documentation detailing all build servers used, all compilers & tools and versions of each used for the offering and summarizing the build process for each.
Adoptium will maintain process documentation detailing the configuration and settings for all compilers & tools used to build the offering.
PW.7.1: Conduct peer code reviews
Adoptium will maintain process documentation detailing their peer code review process.
Adoptium contributors will consistently follow the peer code review process and log the results.
PW.8.1: Determine executable code testing needs
Security-focused test plans applicable to the offering must be documented and maintained as part of the offering's test plan, leveraging other information such as the Risk Assessment, Architecture Review, Security Requirements, Abuse Cases and SANS/CWE guidance. These tests should include techniques such as attack surface validation, abuse cases, configuration testing, regression testing and failure testing.
PW.8.2: Scope the testing, design the tests, perform the testing, and document the results
All security issues rated Critical or Important discovered during testing must be resolved prior to release
For each vulnerability resolved, create an associated test to verify the fix is in place and working as expected with no known regressions, and add it to the offering’s test plan.
The text was updated successfully, but these errors were encountered:
This issue tracks the PW SSDF items and will also contain more detail for them:
Work that addresses these items can reference this epic issue.
The text was updated successfully, but these errors were encountered: