Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update baseline.yaml - NEW - OSPS-DO-19 #122

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions baseline.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -649,6 +649,34 @@ criteria:
security_insights_value: # TODO
scorecard_probe: # TODO

- id: OSPS-DO-19
maturity_level: 3
category: Documentation
criteria: |
The project MUST have performed an external security
review or audit within the last 4 years or after major
architectural changes.
objective: |
Projects need to have a formally documented
external security audit/review/assessment to
understand the most likely and impactful
problems that could occur within the
software, and make plans to address those
problems. The project must
provide evidence on request.
implementation: |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
implementation: |
implementation: |
Identify who might be able to pay for an external security audit (including major users,
government programs, and non-profits).
Engage with an external security audit firm to review the project.
implementation: |

Create a status check that checks the project's
version control system for evidence or statements
that demostrate the project has been reviewed by
an external security professional.
SecurityCRob marked this conversation as resolved.
Show resolved Hide resolved

This information could be recorded in [`security-artifacts.other-artifacts`
from `SECURITY-INSIGHTS.yaml`](https://github.com/ossf/security-insights-spec/blob/main/specification/security-artifacts.md),
with a well-known `artifact-name` field of `"security-audit-results"`.
control_mappings: # TODO
security_insights_value: # TODO
scorecard_probe: #

- id: OSPS-LE-01
maturity_level: 2
category: Legal
Expand Down
Loading