From 881c6dea066af8d23537217d4128fad450daf96c Mon Sep 17 00:00:00 2001 From: Justin Cappos Date: Sat, 30 Nov 2024 21:31:24 -0500 Subject: [PATCH] Work to fix outdated assessment document (#1410) * Work to fix outdated assessment document Signed-off-by: Justin Cappos * fix(assessments/guide): linting, spelling, links Signed-off-by: Marco De Benedictis * ci: add TSSA to known words Signed-off-by: Marco De Benedictis * fix(assessments/guide): heading links Signed-off-by: Marco De Benedictis * Update community/assessments/guide/README.md Co-authored-by: Marco De Benedictis Signed-off-by: Justin Cappos * Update community/assessments/guide/README.md Signed-off-by: Justin Cappos * fix(assessments/guide): heading link Signed-off-by: Marco De Benedictis --------- Signed-off-by: Justin Cappos Signed-off-by: Marco De Benedictis Co-authored-by: Marco De Benedictis --- ci/spelling-config.json | 1 + community/assessments/guide/README.md | 125 ++++++++++++-------------- 2 files changed, 58 insertions(+), 68 deletions(-) diff --git a/ci/spelling-config.json b/ci/spelling-config.json index 08ea92bc8..83c24c6a4 100644 --- a/ci/spelling-config.json +++ b/ci/spelling-config.json @@ -190,6 +190,7 @@ "triaging", "trojanized", "trufflehog", + "TSSA", "TTPS", "Twintag", "unencrypted", diff --git a/community/assessments/guide/README.md b/community/assessments/guide/README.md index f87ad5cbb..b3d2579cb 100644 --- a/community/assessments/guide/README.md +++ b/community/assessments/guide/README.md @@ -6,20 +6,20 @@ should be assessed during a TAG-Security Security Assessment (TSSA). * [Roles](#roles) * [TSSA package steps](#tssa-package-steps) - * [New projects](#new-projects) + * [Abbreviated project assessment](#abbreviated-project-assessment) 1. [Self-assessment](#complete-a-self-assessment) 2. [Create issue](#create-a-presentation-issue) 3. [Present](#present-the-project-and-self-assessment) 4. [Submit PR](#submit-a-pr-to-include-the-self-assessment-in-the-repo) - * [Growing projects](#growing-projects) + * [Joint assessment](#joint-assessment) 1. [Create issue](#create-tracking-issue) - 2. [Draft joint assessment](#project-provides-the-joint-assessment-and-reviewers-are-assigned) - 3. [Reviewers assigned](#project-provides) + 2. [Self-assessment](#project-creates-a-self-assessment) + 3. [Reviewers assigned](#project-provides-the-self-assessment-and-reviewers-are-assigned) 4. [Conflict of interest](#conflict-of-interest-statement-and-review) 5. [Clarifying questions](#clarifying-questions-phase) - 6. [Assessment](#security-assessment-with-optional-hands-on-assessment) + 6. [Assessment](#security-assessment) 7. [Presentation](#presentation) - 8. [Final summary](#final-summary) + 8. [Final artifacts](#final-artifacts-which-are-committed) 9. [Survey](#post-assessment-survey) * [Additional process notes](#additional-process-notes) @@ -35,28 +35,30 @@ and advance through the CNCF. The below section breaks the creation of the package into steps that mirror the [current TOC process stages](https://github.com/cncf/toc/tree/main/process). -### New projects +### Abbreviated project assessment -New projects are projects generally defined as very early on in their maturity. -They may have an innovators pool of users. +Projects which are very early on in their maturity may use a short process to +get some initial feedback by documenting their threat model and security design. +They use an abbreviated process which does not result in a joint assessment or a +detailed review by TAG Security. Note: Responsible roles for specific items are in **bold** -#### Complete a [self-assessment](self-assessment.md) +#### Complete a self-assessment -The self-assessment provides projects with the opportunity to examine the +The [self-assessment](self-assessment.md) provides projects with the opportunity to examine the existing security provisions of the project. It can serve as their initial security documentation for users. -#### Create a [presentation issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation&template=presentation.md&title=%5BPresentation%5D+Presentation+Title) +#### Create a presentation issue This presentation should go over the self-assessment and provide TAG-Security with an initial understanding of the project. It is recommended the **project -lead** submit the issue as the primary point of contact (POC). +lead** submit the [presentation issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=usecase-presentation&template=presentation.md&title=%5BPresentation%5D+Presentation+Title) as the primary point of contact (POC). #### Present the project and self-assessment -Be sure to add the presentation to proposed agenda topics in the [meeting +To get rough feedback, please add the presentation to proposed agenda topics in the [meeting notes](https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/) and include the POC or **project lead**. The community may provide feedback on the self-assessment or ask questions about the project. Include anything you @@ -69,18 +71,18 @@ PR, citing the presentation issue number to add the self-assessment to [assessments/projects](/community/assessments/projects) under its own folder. The ticket may then be closed after merged in. -### Growing projects +### Joint assessment -Growing projects are likely to have early adopters, having gone beyond -innovators as their sole user base. +A more mature project will likely want a more complete and comprehensive assessment +of the project's security. Note: Responsible roles for specific items are in **bold**. If an incubation project did not complete a self-assessment during sandbox, they are recommended to start with the self-assessment before pursing joint assessment. -#### [Create tracking issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=triage-required&template=joint-assessment.md&title=%5BTSSA%5D+Project+Name) +#### Create tracking issue -The tracking issue serves to initiate the joint-assessments. It provides an initial +The [tracking issue](https://github.com/cncf/tag-security/issues/new?assignees=&labels=triage-required&template=joint-assessment.md&title=%5BTSSA%5D+Project+Name) serves to initiate the joint-assessments. It provides an initial set of information to assist TAG-Security in prioritizing the joint assessment as well as provide potential reviewers with a central location to manage the effort. @@ -92,25 +94,24 @@ Facilitator**](https://github.com/cncf/tag-security/blob/main/governance/roles.m determine if the project is ready for joint-assessment. If ready, a channel will be created to coordinate the activities. -#### Project leverages self-assessment to draft [joint assessment](joint-assessment.md) +#### Project creates a self-assessment -The project uses the self-assessment created from the sandbox phase to draft the -joint assessment. The joint assessment expands upon content of the self-assessment and -provides the **reviewers** with a central starting point in assessing the -current security stature of the project. +As is listed in the above section, the project should create a self-assessment. +This should be created as a google doc to make it easier for the TAG Security +members to edit and comment upon. -#### Project provides the joint assessment and reviewers are assigned +#### Project provides the self assessment and reviewers are assigned The project provides the reviewers with security relevant information about - their project. The joint assessment can include links to external documents and + their project. The self assessment can include links to external documents and sources within the project's repository or website to provide additional details or reference where a process is kept. -* **[Project lead](project-lead.md)** responds to the issue with draft document - (see [joint assessment](joint-assessment.md)) +* **[Project lead](project-lead.md)** responds to the issue with draft + self assessment * Issue assigned to **lead [security reviewer](security-reviewer.md)** who will - recruit at least one additional reviewer, if one is not already assigned, -and facilitate the process. + recruit at least two additional reviewers, if one is not already assigned. + The security assessment facilitator will also likely help in this task. #### Conflict of interest statement and review @@ -152,33 +153,34 @@ prior to the *3 week* time frame for a TSSA. * **Lead security reviewer or their designee** will perform an initial, clarifying assessment to: * Verify completeness - * Ask for clarifications + * Ask for clarification * Ensure terms are defined * Ensure concepts introduced are explained with context * Provide quick feedback -#### Security assessment with optional hands-on assessment +**Importantly, comments on the document should be addressed in the document text, as +the comments will be lost when the document is later converted to markdown.** + +#### Security assessment The TSSA process provides time for the security reviewers and the project to address security and technical details associated with the project. Information -created or received out of the assessment is leveraged in finalizing the joint +created or received out of the assessment is leveraged in finalizing the self assessment and creating the project's TSSA package in the README file. -If the security reviewers include individuals capable of performing a hands-on -assessment, the hands-on assessment is included in this step. - * **Project** posts their document to the project security assessment channel, allowing at least one week for review prior to Q&A -* **Security reviewers** review the joint-assessment document, links, and other +* **Security reviewers** review the self-assessment document, links, and other materials provided by the project and provide comments and questions * It is highly recommended that security reviewers familiarize themselves with the project's repo and docs if available * **Security reviewers and project lead/POCs** ensure all reviewer questions, - comments, and feedback are addressed and finalize the joint assessment -* **Lead security reviewer or their designee,** with the assistance of the -**security reviewers** create a [draft summary - document](joint-readme-template.md) to capture existing comments, feedback, - and recommendations prior to the presentation. + comments, and feedback are addressed and finalize the self assessment. + The project has final edit discretion on the self assessment document. +* **The assessment team meets and presents their recommendations to the project** + in the form of a draft joint assessment. The project and assessment team + work together to augment and improve this document, with the assessor having + final edit discretion. #### Presentation @@ -188,32 +190,19 @@ questions and feedback to the reviewers and project. * Project lead presents to TAG during TAG meeting * Presentation is recorded as part of standard TAG process -* Presentation slides are linked in the /assessments/projects/project-name/ - -#### Final summary - -The final summary provides a cursory assessment of the project, background, summary -of the joint assessment, and recommendations to the CNCF, the project, and other -recommendations of note. The final summary should also list the version or -release the joint assessment covered to better enable tracking for updates of the -TSSA package. - -* **Lead security reviewer** creates a branch labeled WIP and provides branch - information to additional reviewers. -* **Lead security reviewer** places the [summary](joint-readme-template.md) into - branch for finalization -* **Reviewers** either comment or provide changes (feedback and recommendations) - to the branch given and submit PR -* Either **project lead or reviewers** may request further WG discussion -* **Project lead** prepares a PR to /assessments/projects/project-name/ when all - comments, feedback, and recommendations are incorporated for the joint -assessment and presentation slides. -* PR approval of at least 1 **co-chair**, alongside other **reviewers'** -approvals, is required before merging any artifacts. - -#### [Post-assessment survey](review-survey.md) - -The should be completed by the **reviewers**, **project lead**, and other +* Presentation slides are linked in the /community/assessments/projects/project-name/ folder + +The assessment team also should give a quick rundown of the assessment recommendations. + +#### Final artifacts which are committed + +The self assessment and joint assessment are added to the repository under a +directory named for the project name. The issue may then be closed and the PR +merged. + +#### Post-assessment survey + +The [post-assessment survey](review-survey.md) should be completed by the **reviewers**, **project lead**, and other members of the TSSA. Once complete the survey may be shared directly to the Security Assessment Facilitator, technical leads, and co-chairs or be part of the PR into the /assessments/projects/project-name folder.