Surface value of performing (self|joint) security assessments better

[mrbobbytables]

The security assessments were originally thought of as a "package" with each assessment building on the previous one with the idea that they make the following assessments easier/faster to complete. This is MUCH more important for the eventual security audit and speeding up that process.

The fact that they are intended to speed up the later processes isn't surfaced well, and more projects might be more inclined to do them / think about them further if they knew that it'd make things easier for them to get through the later processes.

cc @TheFoxAtWork

[TheFoxAtWork]

Thanks @mrbobbytables for creating this.

As we've been exploring the #1277 Security DTR, we talked a little about the differences between Self-Assessment, Joint-assessment, and Security Audit. Its not the first time these questions have come up, so we're not doing a good job surfacing these to projects.

With the recent criteria changes for moving levels, Self-assessments are required for Incubation level. Joint -assessments are not because we did not want to impose a moving levels requirement that was contingent upon the availability and expertise of community members to participate. However in the years since the Security Assessments were created by TAG Security, we've found projects that complete a self-assessment and joint-assessment have more robust security considerations that directly benefit them during the audit. Feedback we've received from organizations conducting security audits on projects with a self-assessment and joint-assessment allow the Audit to be conducted faster, reducing the volume of information discovery required to get started, as much of the background detail was presented in both of those documents.

What suggestions do people have for making this more clear or at least increasing the awareness of these benefits?

[angellk]

Suggestions:

• In the due diligence for projects moving to Incubation - the TOC reviewer(s) include a recommendation for the project to begin a joint security assessment with TAG Security upon moving to Incubation.
• Update the documentation for Incubation and Graduation to clarify that the Joint assessments help prepare for the security audits and the due diligence for projects moving levels
• A CNCF blog on why security assessments matter - and what differentiates them from a security and/or fuzzing audit

[jeefy]

@jeremyrickard @kfaseela Can you two work with TAG-Security to knock out the blog post on security assessments? That should let us close this out since the other main deliverables seem done. :)

EDIT: Can we also add "assessments" into the "suggested" section of both Incubation and Graduation templates? <3

[kfaseela]

@jeremyrickard @kfaseela Can you two work with TAG-Security to knock out the blog post on security assessments? That should let us close this out since the other main deliverables seem done. :)

EDIT: Can we also add "assessments" into the "suggested" section of both Incubation and Graduation templates? <3

I can take a look at this.

[kfaseela]

@jeremyrickard has already published the PR to add details about security assessment into the Incubation and Graduation templates.

I had a discussion with @brandtkeller about the TAG-Security blog post, and came to know that they had a recent blog that covers the intent of the recommendation, published to the tag-security repository on October 5th: cncf/tag-security#1496. Unfortunately, it never went "live" as it was committed to the incorrect directory. And they are currently discussing on how to publish this as a CNCF blog post, and would request the TOC review once it is ready.

[brandtkeller]

There is a blog on the tag security website currently. We will be working on a formal version for use on the CNCF blog.