Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update baseline.yaml - NEW - OSPS-DO-19 #122

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

SecurityCRob
Copy link
Contributor

suggestion for new lvl 3 criteria for external audit/risk assessment

suggestion for new lvl 3 criteria for external audit/risk assessment

Signed-off-by: CRob <[email protected]>
@SecurityCRob SecurityCRob requested review from funnelfiasco, eddie-knight and puerco and removed request for funnelfiasco and eddie-knight December 18, 2024 19:47
@TheFoxAtWork
Copy link

happy to see this added... but.... do we need to list it specifically by major version release? or every two versions? if it happened in v1.0 and the project is now on 4, does it still count?

@puerco
Copy link
Member

puerco commented Dec 18, 2024

@TheFoxAtWork I agree, alternatively after a time period for projects that don't cut major releases.

baseline.yaml Outdated Show resolved Hide resolved
baseline.yaml Outdated Show resolved Hide resolved
baseline.yaml Show resolved Hide resolved
Co-authored-by: Evan Anderson <[email protected]>
Signed-off-by: CRob <[email protected]>
@SecurityCRob SecurityCRob added documentation Improvements or additions to documentation enhancement New feature or request labels Dec 18, 2024
Copy link
Contributor

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also agree with Evan's suggestion

baseline.yaml Outdated Show resolved Hide resolved
baseline.yaml Outdated Show resolved Hide resolved
SecurityCRob and others added 3 commits December 19, 2024 15:40
Co-authored-by: Ben Cotton <[email protected]>
Signed-off-by: CRob <[email protected]>
Co-authored-by: Evan Anderson <[email protected]>
Signed-off-by: CRob <[email protected]>
Co-authored-by: Ben Cotton <[email protected]>
Signed-off-by: CRob <[email protected]>
Copy link
Contributor

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM once the build script is happy.

baseline.yaml Outdated Show resolved Hide resolved
fixed weird crob-indent

Signed-off-by: CRob <[email protected]>
software, and make plans to address those
problems. The project must
provide evidence on request.
implementation: |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
implementation: |
implementation: |
Identify who might be able to pay for an external security audit (including major users,
government programs, and non-profits).
Engage with an external security audit firm to review the project.
implementation: |

@david-a-wheeler
Copy link
Contributor

I'm a fan of security reviews of OSS projects (I've overseen OSTIF work on many), but the big problem here is funding. It's incredibly hard to get funding for security reviews of OSS projects. Maybe we need a level 4?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants