Issue 449: security evaluation process - documentation update #488
Conversation
…former outline.md to become joint-evaluation.md for incubating projects pulling references from the self-assessment
…into issue-449-newdocs
TheFoxAtWork
requested review from
dshaw,
JustinCappos,
lumjjb,
pragashj and
ultrasaurus
as code owners
|
@lumjjb made the updates u requested, question on one of them |
small wording and formatting
|
thanks for quick response @TheFoxAtWork ! one remaining open question (from above): "Is this [joint review] a separate document now? previously I think we made suggested edits in the self-eval and the rest of the content went in the README" |
* Update APAC frequency to bi-weekly; add link to cncf calendar. * suggestions from PR * Update README.md Co-authored-by: Sarah Allen <sarah@ultrasaurus.com> Co-authored-by: DNX <auraltension@riseup.net> Co-authored-by: Sarah Allen <sarah@ultrasaurus.com>
There was a problem hiding this comment.
thanks for quick response @TheFoxAtWork !
one remaining open question (from above): "Is this [joint review] a separate document now? previously I think we made suggested edits in the self-eval and the rest of the content went in the README"
Below is the list of files/changes and brief summary of where they fit/what they are, @ultrasaurus the self-assessment, joint-review, and joint readme are all separate in the repo. The self-assessment is significantly smaller than the joint-review and intended to be a starting point for less mature projects. The joint review pulls a lot of content from the self-assessment, with an expectation those are updated as appropriate and expanded during the joint-review. The joint-readme is the template to extract the relevant, summarized content from the joint-review for the project's folder in the repo.
- Github issue template update - name change, content update
- assessments/README.md - overview of the security review process
- assessments/guide/README.md - detailed description of the security review process, steps, document links, templates, etc.
- assessments/guide/joint-readme-template.md - this is the final summary written by the review team that serves as the Project's README.md in the project folder when the security review's joint-review is complete.
- assessments/guide/joint-review.md - template/outline for the joint-review document that builds on top of the self-assessment. May be used independently from the self-assessment for more mature projects
- assessments/guide/project-lead.md - updates to the content and naming
- assessments/guide/review-survey.md - simple survery to ascertain effectiveness and experience of the security review process
- assessments/guide/security-reviewer.md - updates to the content and naming
- assessments/guide/self-assessment.md - template/outline for the self-assessment used to later build the joint-review. Recommended for less mature projects looking to initiate security thinking and documentation.
Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com>
|
thanks @TheFoxAtWork for the summary! The change of separating self-assessment and joint-review documents seems like it will reduce initial effort of project lead and put more work onto the security review team. This seems important since the new process allows for self-assessment and joint-review to be spaced farther apart in time than has been the case in the past. As a past reviewer, I'd be fine with this change if I were to lead a future review. I think this is on the agenda for the meeting tomorrow, so ok to discuss then. It would be great to capture motivation and check in with past project leads & other reviewers (if you haven't done so already) to validate that they believe this change is an improvement :) |
Update links to usecases where currently broken
More updates to table of contents
Add Matt Jarvis as member
Add Or Azarzar to Members
this was apparently not updated a while back, we'll see if we can use settings instead of Admin UI
Update permission for chairs & TLs
we shouldn't use Github UI anymore because that is confusing
add comment to explain better how this works
|
@ultrasaurus looks like there were changes made based on your comments, can you verify that your comments have been resolved? I think with that, we should be good to merge soon! |
before they were just added to README, but we want them to be the whole repo as is reflected in the comment Co-authored-by: Brandon Lum <lumjjb@gmail.com>
Signed-off-by: Brandon Lum <lumjjb@gmail.com>
* WIP - created self-assessment outline for sandbox projects, modified former outline.md to become joint-evaluation.md for incubating projects pulling references from the self-assessment * updates per @magnologan thread in slack * added hands-on review section per issue cncf#449 & cncf#349 * created project README.md template for completion of joint evaluation * updated joint evaluation per vuln discussion with @magnologan in slacl * created evaluation survey for post security evaluation (self or joint) * updated README with new process details * finished updating the docs to the new process * updated issue template for new process conventions * updated with @lumjjb comments * added @lumjjb recommendations * Changed 'evaluation' to 'review' per last discussion * updated new docs with 'review' over 'evaluation' * More updates to table of contents More updates to table of contents to fix topic depth * small wording and formatting * changes per @ultrasaurus suggestions * Update APAC frequency to bi-weekly (cncf#529) * Update APAC frequency to bi-weekly; add link to cncf calendar. * suggestions from PR * Update README.md Co-authored-by: Sarah Allen <sarah@ultrasaurus.com> Co-authored-by: DNX <auraltension@riseup.net> Co-authored-by: Sarah Allen <sarah@ultrasaurus.com> * Update links to usecases * Update assessments/guide/README.md * Update security-whitepaper/cloud-native-security-whitepaper.md Co-authored-by: Emily Fox <33327273+TheFoxAtWork@users.noreply.github.com> * Add Matt Jarvis as member * Add Or Azarzar to Members * Update permission for chairs & TLs this was apparently not updated a while back, we'll see if we can use settings instead of Admin UI * add comment to explain better how this works we shouldn't use Github UI anymore because that is confusing * add new TLs as repo CODEOWNERS (cncf#541) before they were just added to README, but we want them to be the whole repo as is reflected in the comment Co-authored-by: Brandon Lum <lumjjb@gmail.com> Co-authored-by: Emily Fox <emily.l.fox7.civ@mail.mil> Co-authored-by: Brandon Lum <lumjjb@gmail.com> Co-authored-by: Sarah Allen <sarah@ultrasaurus.com> Co-authored-by: DNX <2435032+0x646e78@users.noreply.github.com> Co-authored-by: DNX <auraltension@riseup.net> Co-authored-by: Matt Jarvis <matt@mattjarvis.org.uk> Co-authored-by: Or Azarzar <or@lightspin.io>
This issue is to update the existing documentation to reflect a new security evaluation process