[SSDF Epic] PW: Produce well secured software

[jiekang]

This issue tracks the PW SSDF items and will also contain more detail for them:

Work that addresses these items can reference this epic issue.

• PW.1.1: Use forms of risk modeling, such as threat modeling, attack modeling, or attack surface mapping, to help assess the security risks for Adoptium
• PW.1.3: Use standardized security features and services instead of creating proprietary implementations
• PW.2.1: Review the security architecture
• PW.4.1: Acquire and maintain well-secured software components
  1. Adoptium will maintain process documentation detailing the source of all upstream source code and binary artifacts (including but not limited to: components, packages, containers, flatpacks, ISO's, VM images etc.).
  2. Adoptium will maintain process documentation on if / how the upstream source code and binary artifacts are actively maintained by the upstream community, which should include remediation of new vulnerabilities. If these materials are NOT actively maintained upstream it is the offering team’s responsibility to remediate security vulnerabilities, and process documentation of this remediation plan must be maintained.
• PW.4.2: Create and maintain well-secured software components
• PW.5.1: Follow secure coding practices that are appropriate to the development languages and environment
  1. Adoptium will curate and maintain reference material pertaining to secure coding guidelines relevant to Adoptium contributions. This material will be readily available to all contributors and reviewed regularly for relevance
• PW.6.1: Use securely configured compilers and build tools
  1. Adoptium will maintain process documentation detailing all build servers used, all compilers & tools and versions of each used for the offering and summarizing the build process for each.
  2. Adoptium will maintain process documentation detailing the configuration and settings for all compilers & tools used to build the offering.
• PW.7.1: Conduct peer code reviews
  1. Adoptium will maintain process documentation detailing their peer code review process.
  2. Adoptium contributors will consistently follow the peer code review process and log the results.
• PW.8.1: Determine executable code testing needs
  1. Security-focused test plans applicable to the offering must be documented and maintained as part of the offering's test plan, leveraging other information such as the Risk Assessment, Architecture Review, Security Requirements, Abuse Cases and SANS/CWE guidance. These tests should include techniques such as attack surface validation, abuse cases, configuration testing, regression testing and failure testing.
• PW.8.2: Scope the testing, design the tests, perform the testing, and document the results
  1. All security issues rated Critical or Important discovered during testing must be resolved prior to release
  2. For each vulnerability resolved, create an associated test to verify the fix is in place and working as expected with no known regressions, and add it to the offering’s test plan.

[Haroon-Khel]

I am investigating PW 6.1
adoptium/infrastructure#2503

[zdtsw]

working on PW2.1
#144