Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Assessment] SPIFFE/SPIRE #308

Closed
13 of 14 tasks
evan2645 opened this issue Dec 12, 2019 · 28 comments
Closed
13 of 14 tasks

[Assessment] SPIFFE/SPIRE #308

evan2645 opened this issue Dec 12, 2019 · 28 comments
Assignees
Labels
assessment project security assessments (one issue per project)

Comments

@evan2645
Copy link
Contributor

evan2645 commented Dec 12, 2019

Project Name: SPIFFE/SPIRE

Github URL: https://github.com/spiffe/spire

Security Provider: yes

  • Identify team
    • Project security lead (Evan Gilman)
    • Lead Security Reviewer (Brandon Lum)
    • 1 or more additional reviewer(s) (Justin Cappos, Emily Fox)
    • Declaration of reading of security reviewer guidelines and declaration of conflits (by each reviewer)
    • Sign off by 2 chairs on reviewer conflicts (Justin Cappos in lieu of chairs who are preoccupied)
  • Create slack channel (e.g. #sec-assess-projectname)
  • Project lead provides draft document outline -- self-assessment
  • "Dumb question phase" Lead Security Reviewer asks clarifying questions
  • Initial review
  • Presentation & discussion (Done on 26 Feb)
  • Share draft findings with project
  • Assessment summary and doc checked into /assessments/projects/project-name
  • CNCF TOC presentation (if requested by TOC)
@evan2645 evan2645 added the assessment project security assessments (one issue per project) label Dec 12, 2019
@lumjjb
Copy link
Contributor

lumjjb commented Dec 12, 2019

I am willing to volunteer be a security reviewer for this assessment, and am able to lead.

@JustinCappos
Copy link
Collaborator

JustinCappos commented Dec 12, 2019 via email

@lumjjb
Copy link
Contributor

lumjjb commented Dec 13, 2019

Link issue for previous assessment by @JustinCappos #97

@JustinCappos JustinCappos added the need-self-assessment The project has not yet created a self assessment label Dec 16, 2019
@JustinCappos
Copy link
Collaborator

@JustinCappos JustinCappos removed the need-self-assessment The project has not yet created a self assessment label Dec 16, 2019
@lumjjb
Copy link
Contributor

lumjjb commented Dec 18, 2019

Conflict declaration: No conflicts with this project.

@JustinCappos
Copy link
Collaborator

JustinCappos commented Dec 18, 2019

No conflict from my side either. I like the folks there a lot, but it won't impact my objectivity in a security assessment. :)

@TheFoxAtWork
Copy link
Contributor

TheFoxAtWork commented Dec 18, 2019

Happy to help, No experience as lead assessor but will help anyway i can:

@JustinCappos
Copy link
Collaborator

@TheFoxAtWork volunteered as well!

@evan2645
Copy link
Contributor Author

👋 hi everyone! Sorry I'm late to the party :)

I made some minor updates to the self assessment today, but nothing major - I think @anvega did a pretty thorough job (thanks Andres!!). We have removed the Draft label that previously appeared in the document name.

One thing that probably needs some attention is that the previous assessment (the results of which are in the self assessment) did not account for "Evil Server / Victim Server" attack vector. There may also be a modifier there of "Same Trust Domain" and "Different Trust Domain". I'm not sure if the old assessment methodology applies to the new process.

@JustinCappos
Copy link
Collaborator

JustinCappos commented Dec 19, 2019

One thing that probably needs some attention is that the previous assessment (the results of which are in the self assessment) did not account for "Evil Server / Victim Server" attack vector. There may also be a modifier there of "Same Trust Domain" and "Different Trust Domain". I'm not sure if the old assessment methodology applies to the new process.

We're doing a lighter process here (no collusion matrices for most projects). I think we might have still taken a few steps down this path here because the setup and trust relationships are fairly complex.

@lumjjb
Copy link
Contributor

lumjjb commented Dec 19, 2019

Here is the proposed schedule. How does this look like for all?

Jan 6-10: "Dumb questions phase"
(only project lead (and team) + lead security reviewer involved)

Jan 13 - 22: Security review phase - security reviewers add comments on the doc and conversation around edits to the doc continues
(project lead (and team) + all security reviewers)

Jan 22: Presentation to SIG-security meeting (MOVED to Feb 5)
(at least 1 representative from project team and security reviewers)

By Jan 24: Address all remaining comments, and finalize TOC summary (1 slide) (MOVED to Feb 7)

(To be scheduled) 1 slide sharing to the TOC

@JustinCappos
Copy link
Collaborator

I've read the reviewer guidelines.

@JustinCappos
Copy link
Collaborator

Here is the proposed schedule. How does this look like for all?

Jan 6-10: "Dumb questions phase"
(only project lead (and team) + lead security reviewer involved)

Jan 13 - 22: Security review phase - security reviewers add comments on the doc and conversation around edits to the doc continues
(project lead (and team) + all security reviewers)

Jan 22: Presentation to SIG-security meeting
(at least 1 representative from project team and security reviewers)

By Jan 24: Address all remaining comments, and finalize TOC summary (1 slide)

(To be scheduled) 1 slide sharing to the TOC

@evan2645 Does this timeline work for you?

@lumjjb
Copy link
Contributor

lumjjb commented Dec 19, 2019

I've read reviewer guidelines

@lumjjb
Copy link
Contributor

lumjjb commented Dec 20, 2019

@ultrasaurus @dshaw @pragashj require 2 co-chairs on reviewer conflicts

@lumjjb
Copy link
Contributor

lumjjb commented Dec 20, 2019

Note, as per discussion on slack, the initial "Dumb Question Phase" is not a full time commitment but more of an asynchronous process. I've allocated a bit of a buffer due to 18 hour timezone difference between myself and Evan, and my travel from SIN->SFO on 9-10 Jan.

@ultrasaurus
Copy link
Member

@lumjjb it looks like there are no reviewer conflicts, so we don't need chair review -- or did I miss something?

@anvega
Copy link
Contributor

anvega commented Dec 20, 2019

@ultrasaurus Wording may need to be revised. We interpreted the checkbox item as 2 SIG-chairs asserting that there are no reviewer conflicts and not a signoff where a conflict exists.

@evan2645
Copy link
Contributor Author

@JustinCappos Sure, I think that will work OK. I'm not traveling over the holiday season so am free to start whenever, but of course I understand that I'm probably the outlier :-D

One thing I will note is that I will probably be unavailable from Jan ~8-19th. I have spoken to @azdagron about this though, and he is willing to cover and help answer any questions in my absence as I'm not sure what my internet access will look like during that time. @azdagron is a SPIRE maintainer.

@lumjjb
Copy link
Contributor

lumjjb commented Dec 21, 2019

@evan2645 yep that is fine.

@TheFoxAtWork how does schedule look for you?

@TheFoxAtWork
Copy link
Contributor

yep yep works for me @lumjjb

@JustinCappos
Copy link
Collaborator

@ultrasaurus @dshaw @pragashj Can we get the chair signoff so we can move this to completed?

I think this means that @TheFoxAtWork @lumjjb and me need to submit our conflict forms as well...

@JustinCappos
Copy link
Collaborator

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NOT REALLY. I performed a security audit / assessment of the project previously.
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

@anvega
Copy link
Contributor

anvega commented May 14, 2020

@JustinCappos It’s been some time since the assessment was merged. I heard mention of this during today's SIG-Security call. Is there anything needed to close this issue and mark it done?

@JustinCappos
Copy link
Collaborator

@JustinCappos It’s been some time since the assessment was merged. I heard mention of this during today's SIG-Security call. Is there anything needed to close this issue and mark it done?

I think we're just waiting on the administrative items below from the SIG-Security side. Let's give people a day or two, but it should be closed this week.

@ultrasaurus @dshaw @pragashj Can we get the chair signoff so we can move this to completed?

I think this means that @TheFoxAtWork @lumjjb and me need to submit our conflict forms as well...

@JustinCappos
Copy link
Collaborator

Okay, given the chairs are preoccupied. I'm signing off on the COI.

@kapilt
Copy link

kapilt commented Aug 17, 2020

The self-assessment doc here isn't accessible anymore

@lumjjb
Copy link
Contributor

lumjjb commented Aug 17, 2020

The assessment doc is now part of the repo as an .md file: https://github.com/cncf/sig-security/blob/master/assessments/projects/spiffe-spire/self-assessment.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
assessment project security assessments (one issue per project)
Projects
None yet
Development

No branches or pull requests

7 participants