New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SSDF Issue] PW2.1: Review the security architecture #144
Comments
i am working on it : self assign |
PW.2.1
|
Jfrog account is a "sponsored enterprise" account |
what is the release process we have for services we provide and who is responsible for these services:
|
Some AQA related question: |
Updated via PRs to https://github.com/adoptium/blog.adoptium.net
Now that the new version is live and seems to work we do need to do that.
Once Nagios is back in a reasonable state we should add TRSS to that to monitor it's health, as with any other systems not already covered :-) |
@gdams @karianna could you give inputs for below items:
|
The docker images have a synk security run before the published (this is done by the Dockerhub folks rather than us) |
Here is the SSDF security review doc for public access: https://docs.google.com/document/d/1w3znf2X4y0yoiK2w1cNxSwu8ok7ibWCbD3t1oEs2wwU/edit#heading=h.vkwl1qx18vjg |
re: #144 (comment)
Sorry, somehow missed this note earlier:
|
Noting that we intend to have a third party perform an audit on parts of this, so that process will cover part of this. |
Note that we have volunteered for an eclipse project to use an external party to perform an analysis of our project security that will be commencing soon. |
The audit described above started last week (Monday 15th December) and is progressing. |
Ref: [SSDF Epic] PW: Produce well secured software
Recording work has been done for PW2.1:
software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.
Example 1: Review the software design to confirm that it addresses applicable security requirements.
Example 2: Review the risk models created during software design to determine if they appear to adequately identify the risks.
Example 3: Review the software design to confirm that it satisfactorily addresses the risks identified by the risk models.
Example 4: Have the software’s designer correct failures to meet the requirements.
Example 5: Change the design and/or the risk response strategy if the security requirements cannot be met.
Example 6: Record the findings of design reviews to serve as artifacts (e.g., in the software specification, in the issue tracking system, in the threat model).
Detail see: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf Page 21
The text was updated successfully, but these errors were encountered: