modifications to assessment docs per 06122019 meeting notes

assessments/README.md

@@ -15,16 +15,15 @@ The primary goal is to reduce the risk from malicious attacks and accidental bre
 
 ### 2) Accelerate adoption of cloud native technologies
 
-Security reviews are a necessary, yet time consuming process, where each
+Security reviews are a necessary, time intensive process. Each
 company, organization and project must perform its own reviews to ensure
 that it meets its unique commitments to its own users and stakeholders.
-In open source, simply finding security-related information can be a very
-time consuming part of the the process. The process is designed to enable improved discovery of security information & streamlined security reviews in multiple ways:
+In open source, simply finding security-related information can be overwhelmingly difficult and a time consuming part of the security review. The CNCF security assessment process is intended to enable improved discovery of security information & assist in streamlining internal and external security reviews in multiple ways:
 
    * Consistent documentation reduces review time
    * Established baseline of security-relevant information reduces Q&A
    * Clear rubric for security profile enables organizations to align their
-   risk profile with project’s risk profile and effectively allocate resources
+   risk profile with the project’s risk profile and effectively allocate resources
    (for review and needed project contribution)
    * Structured metadata allows for navigation, grouping and cross-linking
 
@@ -35,24 +34,20 @@ the assessements.
 
 ## Outcome
 
-Each project assessment will:
+Each CNCF project security assessment will:
 1. ensure a clear description of the project's design goals with respect to
 security
-2. uncover design flaws and document known limitations
+2. uncover design and configuration flaws while documenting known limitations
 3. document next steps toward increasing security of the project itself and/or
-increasing the applications of the project toward increasing security of the
-cloud native ecosystem
+increasing the applications of the project toward a more secure cloud native ecosystem
 
 Due to the nature and timeframe for the analysis, *this review is not meant
 to subsume the need for a professional security audit of the code*.  Audits
-of implementation vulnerabilities and similar issues at that level are not
-intended to be covered by this assessment.  The purpose of this effort is to
-uncover design flaws and to obtain a clear articulation of what the project's
-design goals and security properties are intended to be.
+of implementation specific vulnerabilities, improper deployment configuration, etc. are not in scope of a CNCF project security assessment.  A CNCF project security assessmet is intended to uncover design and configuration flaws and to obtain a clear, comprehensive articulation of the project's design goals and aspirations while documenting the intended security properties enforced, fulfilled, or executed by said project.
 
 ## Process
 
-The project assessment is intended to be a collaborative process for
+The project security assessment is a collaborative process for
 the benefit of the project and the community, where the primary content is
 generated by the [project lead](guide/project-lead.md) and revised based on feedback
 from [security reviewers](guide/security-reviewer.md) and other members of the

assessments/guide/README.md

@@ -9,7 +9,7 @@ this document outlines the procedure by which a project should be evaluated.
 
 ## Steps
 
-1. Create tracking issue
+1. [Create tracking issue](https://github.com/cncf/sig-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name)
    * Issue may be a request from TOC liason or project itself
 2. Project provides self-assessment
    * [project lead](project-lead.md) responds to the issue with draft document (see [outline](outline.md))

assessments/guide/project-lead.md

@@ -1,6 +1,6 @@
 # Project Lead
 
-In the context of the security assessment, the "project lead" should be
+In the context of the project security assessment, the "project lead" should be
 someone on the security team for the project. For new or smaller projects
 without an established security team, this could be a project maintainer
 or they may delegate to a regular contributor who has an interest in security.

assessments/guide/security-reviewer.md

@@ -12,20 +12,28 @@ involving deployment scenarios and the impact of attacks.
 
 ## Qualifications
 
+### Required
+
 Unless approved by the SIG chairs, at least one of the reviewers will
-have previously performed a SAFE WG audit.  (Exemptions are expected to be
-granted bootstrap the process but only in extreme cases later on.)  In
-general, a reviewer should have performed security audits for diverse
-organizations.  The ideal reviewer should also have been the recipient
-of security audits for a software project they manage.  Note that it is
-encouraged to have participation (shadowing) from participants that are not
-yet qualified to help them gain the necessary skills to be a reviewer
+have previously performed a CNCF project security assessment.
+Exemptions to this are reviewed case by case upon established need by the CNCF Security SIG Chairs and Co-Chairs in order to bootstrap the process as appropriate.
+
+### Preferred
+
+It is preferred reviewers have previous experience performing security audits or assessments for a variety of
+organizations.  An ideal reviewer should also have been the recipient
+of CNCF project security assessments for a software project they manage.  
+
+Note: it is encouraged to have participation (shadowing) from participants that are not
+yet qualified in order to provide and assist in gaining necessary skills to be a reviewer
 in the future.
 
 ## Time and effort
 
-The level of effort for the reviewers is expected to be 10 hours.
-Despite the fact that there may be some back and forth to get clarification
-on a few points, it is expected analysis can usually be concluded in a few
-weeks.  This will primarily involve carefully reading the written
-document and analyzing the security assertions and assumptions.
+The level of effort for the reviewers is expected to be 10 hours over the course of a few weeks.
+Correspondance, project availability, and clarification of a project's scope or other details in the ticketed request for project security assessment may add additional time.  Effort is expected to include and may not be limited to:
+* reviewing existing security documentation
+* reviewing ticketed request for project security assessment
+* analysis of security assertions and assumptions
+
+