Tag-security: Threat modeling

Created on 22 May 2019  路  5Comments  路  Source: cncf/tag-security

KubeCon EU presentation on security audits mentioned a finding / recommendation for projects to understand their threat model, but this feels overly abstract.

Should an input criteria to a CNCF sec audit be that the project have a threat model documented? CNCF is suggesting projects follow the LF鈥檚 CII best practices recommendations, but that doesn鈥檛 require a threat model.

Even if not required, I suspect threat modeling education by the SIG out to it鈥檚 associated projects would have value as many many software engineers are unfamiliar with what establishing one entails and exceptionally few projects have them.

assessment-process audit-process inactive

Most helpful comment

This is listed in the security assessment docs that the project submits to the SIG-Security working group. I'll list a few examples here:
https://docs.google.com/document/d/1O3O7eFCTZ_7lLZ9IhHSWFiXhjWf2gPuJbzZ7u0m-9uI/edit?pli=1#heading=h.oykub2ep8ndw
https://docs.google.com/document/d/1L15ZZXnDxe3eqXnKHiZRxdr59tGkt_ipPixdA6RbzII/edit#heading=h.4zw236cia0t9

All 5 comments

I think this is a really good proposal, we should at least recommend the project to have it - and maybe set it graduation criteria. There are some discussions on how to document, I have some example I wrote here and will be happy to hear feedback about the format and readability.

I believe we do ask for some threat modeling when performing security reviews for the CNCF projects - is that along the lines of what you have in mind?

Interesting, where does it documented?

This is listed in the security assessment docs that the project submits to the SIG-Security working group. I'll list a few examples here:
https://docs.google.com/document/d/1O3O7eFCTZ_7lLZ9IhHSWFiXhjWf2gPuJbzZ7u0m-9uI/edit?pli=1#heading=h.oykub2ep8ndw
https://docs.google.com/document/d/1L15ZZXnDxe3eqXnKHiZRxdr59tGkt_ipPixdA6RbzII/edit#heading=h.4zw236cia0t9

This issue has been automatically marked as inactive because it has not had recent activity.

Was this page helpful?
0 / 5 - 0 ratings