Added new category for threat modeling #126
Conversation
Signed-off-by: Eddie Knight <[email protected]>
Signed-off-by: Eddie Knight <[email protected]>
|
@SecurityCRob Yeah, there may be more to consider for the category, but I think this moves it in the right direction. |
Signed-off-by: Eddie Knight <[email protected]>
|
I agree that "Security Assessments" is a better term than "Threat Modeling" here, but the concept seems wrong to me as applied in the current PRs. Everything in the baseline is useful for downstream performing a security assessment, so why are these things that are clearly documentation special? I would expect the "Security Assessments" category to be about the security assessments performed by the project, not downstream consumers. |
Signed-off-by: Eddie Knight <[email protected]>
Signed-off-by: Eddie Knight <[email protected]>
baseline.yaml
Outdated
| maturity_level: 2 | ||
| category: Documentation | ||
| category: Threat Modeling |
There was a problem hiding this comment.
Need to either update the "category" label here, or auto-generate it from the id.
baseline.yaml
Outdated
| @@ -960,6 +962,32 @@ criteria: | |||
| security_insights_value: # TODO | |||
| scorecard_probe: # sastToolRunsOnAllCommits | |||
|
|
|||
| - id: OSPS-TM-04 | |||
There was a problem hiding this comment.
| - id: OSPS-TM-04 | |
| - id: OSPS-SA-04 |
|
|
||
| The authoring process will be simplified if | ||
| including or referencing the output from | ||
| OSPS-TM-01, OSPS-TM-02, and OSPS-TM-03. |
There was a problem hiding this comment.
These links are probably wrong.
Adding category "Security Assessments" to match the phrasing in Security Insights v2.
This will need to be reorganized in the yaml (lots of that still to do)
This will allow us to extend the category to cover all topics necessary to incrementally produce a complete threat model based on what is reasonable for each maturity level.
Inspired by, but in lieu of, #121