Adding MB Security Management Plan for review #1889
Conversation
NarasipurRohini
requested review from
PhilipPartsch,
aschemmel-tech,
masc2023 and
pahmann
as code owners
|
|
|
The created documentation from the pull request is available at: docu-html |
There was a problem hiding this comment.
Thanks for providing, but please incorporate your contribution into the existing document and please do not create work products, which are not defined in process_description, the plan here should follow the process_description definitions and give concrete implementation, I would propose again to have a meeting, before you continue your work here., TARA is already tailored out in process_description as not in scope of S-CORE
|
This PR is stale because it has been open for 30 days with no activity. It will be closed in 10 days if no further activity occurs. #magic___^_^___line |
Hi Markus, Thanks |
There was a problem hiding this comment.
Thank you for your contribution. Some general hints, Eclipse S-CORE contributions shall follow guidance here, https://eclipse-score.github.io/score/main/contribute/index.html, contributions shall follow rigid development process, defined here, https://eclipse-score.github.io/process_description/main/index.html, which is a process framework defined compliant with Quality, Safety and Security standards. This document is required here https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workproducts.html#wp__platform_security_plan. So please do not just remove the existing document, but incorporate your contributions in the existing documents.
|
|
||
| WARNING: Security Management Process is NOT released yet, so links to Process_description using | ||
| `PROCESS_`... will not work yet, thus commented out. After releasing, document must be updated. | ||
| Security Roles & Responsibilities |
There was a problem hiding this comment.
Roles and Responsibilities are already defined her: https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_roles.html#rl__security_manager, The process area Security Management defines workflows, etc. https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workflow.html, so no need to define it again here
| ======================================= | ||
|
|
||
| Secure coding guidelines | ||
| ------------------------- |
There was a problem hiding this comment.
Process Framework is compliant to all standards, If there is a need to add additional coding guidelines, please add this in the Implementation process: https://eclipse-score.github.io/process_description/main/process_areas/implementation/guidance/software_development_template.html, or directly in the Software Development Plan in the score repo as part of the PMP: https://eclipse-score.github.io/score/main/platform_management_plan/software_development.html.
| 6. `Rust Secure Code Working | ||
| Group <https://github.com/rust-secure-code/wg>`__ | ||
|
|
||
| Automated code scanning |
There was a problem hiding this comment.
Automated code scanning are already part of github infrastructure, e.g. Depandabot. If we need more, we should discuss together with Infrastructure team.
Generation of SBOM, containing CVEs etc. is defined already here, e.g. https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workproducts.html#wp__sw_platform_sbom, https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workproducts.html#wp__sw_module_sbom, may we are missing process requirements to proper implement it, we need to update it here https://eclipse-score.github.io/process_description/main/process_areas/security_management/guidance/security_management_process_reqs.html
|
|
||
| Automated code scanning | ||
| ----------------------- | ||
| The following tools should be part of the CI/CD pipeline and should run automatically for every patch, minor and major release: |
There was a problem hiding this comment.
Tool decision within S-CORE must be made according the rules in a mediocratic way, needs requirements and decision record, Infrastructure Team must be included. You can file DR here, https://eclipse-score.github.io/score/main/design_decisions/index.html
There was a problem hiding this comment.
Isnt the tools to be used documented here: https://eclipse-score.github.io/score/main/contribute/development/cpp/code_analysis.html ?
| | Hardening guide for Integrators | Some identified risks are mitigated by hardening the platform. Such mitigations shall be | Contributors and Security Manager | | ||
| | | part of this guide | | | ||
| +-------------------------------------------+--------------------------------------------------------------------------------------------+-----------------------------------------------+ | ||
| | Security sign off process before releases | A checklist should be created and signed to ensure that all documented risks are mitigated | Contributors and Security Manager | |
There was a problem hiding this comment.
Is part of release process, is something missing, please add, https://eclipse-score.github.io/process_description/main/process_areas/release_management/index.html
| Vulnerability Management | ||
| ======================== | ||
|
|
||
| - SBOMs needs to be defined and used in CVE scanning (SBOM driven CVE |
There was a problem hiding this comment.
See comment above, already defined in process description.
| - SBOMs needs to be defined and used in CVE scanning (SBOM driven CVE | ||
| scanning). This process should be automated to run in the CI/CD | ||
| pipeline. | ||
| - When a vulnerability is reported or identified, the following tasks |
There was a problem hiding this comment.
We have Problem Resolution which shall be used to manage vulnerabilities. https://eclipse-score.github.io/process_description/main/process_areas/problem_resolution/guidance/problem_resolution_template.html covers already security topics, missing may be updated, if required
| | | the criticality of | contributors | | ||
| | | the reported | | | ||
| | | vulnerability | | | ||
| +-----------------------+-----------------------+-----------------------+ |
There was a problem hiding this comment.
Part of Project Management Plan, see here, https://eclipse-score.github.io/score/main/platform_management_plan/project_management.html
| | | CWE (common weakness | | | ||
| | | enumeration) | | | ||
| +-----------------------+-----------------------+-----------------------+ | ||
| | CVSS score | Calculating CVSS | Security | |
There was a problem hiding this comment.
Must be decided, what to use here
sunildevda
left a comment
sunildevda
left a comment
There was a problem hiding this comment.
Some minor points/questions from my side.
|
|
||
| Automated code scanning | ||
| ----------------------- | ||
| The following tools should be part of the CI/CD pipeline and should run automatically for every patch, minor and major release: |
There was a problem hiding this comment.
Isnt the tools to be used documented here: https://eclipse-score.github.io/score/main/contribute/development/cpp/code_analysis.html ?
| | Security concepts resulting from the | Security concepts should document different options and a favorable option should be | Contributors and Security Manager/engineer | | ||
| | goals and TARA | implemented | | | ||
| +-------------------------------------------+--------------------------------------------------------------------------------------------+-----------------------------------------------+ | ||
| | Hardening guide for Integrators | Some identified risks are mitigated by hardening the platform. Such mitigations shall be | Contributors and Security Manager | |
There was a problem hiding this comment.
If i understood it right these AoU shall be mentioned in wp__platform_security_manual and wp__module_security_manual. not in https://eclipse-score.github.io/score/main/requirements/platform_assumptions/index.html or?
|
|
||
| 1. `SEI CERT C++ Coding | ||
| Standard <https://wiki.sei.cmu.edu/confluence/display/cplusplus>`__ | ||
| 2. `Guidelines for the use of the C++14 language in critical and |
There was a problem hiding this comment.
no reference to AUTOSAR please. Moreover, C++ 14 is outdated
| security manager appointed in the module’s security plan, who defines | ||
| the security process and creates a security management plan. | ||
| - Security Engineer - performs the security analysis using methodologies | ||
| such as TARA |
There was a problem hiding this comment.
I would also add: security manual, vulnerability management
There was a problem hiding this comment.
@attifunel , thank you for your feedback, but consider the role definition is done here, please review and let's talk in the next meeting, for activities see the corresponding workflows
https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_roles.html
https://eclipse-score.github.io/process_description/main/process_areas/security_analysis/security_analysis_roles.html
There was a problem hiding this comment.
@sunildevda , @attifunel , please consider the existing Security Management Pan, as this is to enhance,
https://eclipse-score.github.io/score/main/platform_management_plan/security_management.html
4 participants
No description provided.