The security assessment process is designed to accelerate the adoption of cloud native technologies, based on the following goals and assumptions:
The primary goal is to reduce the risk from malicious attacks and accidental breaches of privacy. This process supports that goal in two ways:
- Clear and consistent process for communication increases detection & reduces time to resolve known or suspected vulnerability issues
- A collaborative evaluation process increases domain expertise within each participating project.
Security reviews are a necessary, time intensive process. Each company, organization and project must perform its own reviews to ensure that it meets its unique commitments to its own users and stakeholders. In open source, simply finding security-related information can be overwhelmingly difficult and a time consuming part of the security review. The CNCF security assessment, hereafter "security assessment," process is intended to enable improved discovery of security information & assist in streamlining internal and external security reviews in multiple ways:
- Consistent documentation reduces review time
- Established baseline of security-relevant information reduces Q&A
- Clear rubric for security profile enables organizations to align their risk profile with the project’s risk profile and effectively allocate resources (for review and needed project contribution)
- Structured metadata allows for navigation, grouping and cross-linking
We expect that this process will raise awareness of how specific open source projects affect the security of a cloud native system; however, separate activities may be needed to achieve that purpose using materials generated by the assessements.
Each project's security assessment shall include a description of:
- the project's design goals with respect to security
- any aspects of design and configuration that could introduce risk
- known limitations, such as expectations or assumptions that aspects of security, whole or in part, are to be handled by upstream or downstream dependencies or complementary software
- next steps toward increasing security of the project itself and/or increasing the applications of the project toward a more secure cloud native ecosystem
Due to the nature and timeframe for the analysis, this review is not meant to subsume the need for a professional security audit of the code. Audits of implementation-specific vulnerabilities, improper deployment configuration, etc. are not in scope of a security assessment. A security assessmet is intended to uncover design and configuration flaws and to obtain a clear, comprehensive articulation of the project's design goals and aspirations while documenting the intended security properties enforced, fulfilled, or executed by said project.
The security assessment is a collaborative process for the benefit of the project and the community, where the primary content is generated by the project lead and revised based on feedback from security reviewers and other members of the SIG.
See security assessment guide for more details.