[Assessment] Cloud Custodian #307
Comments
|
will raise hand to be a reviewer but due to time constraints cannot be lead on this one, sorry! edit: no conflicts AFAIK |
|
thanks - where else can/should we enlist reviewers? |
|
I'll volunteer to review too. @ashutosh-narkar , would you be able to participate as a reviewer? I think your perspective would be very helpful. We can find someone else to lead. |
|
Sure @JustinCappos, I would be happy to be a reviewer. |
|
EDIT: markdown strikethrough not cooperating...
Falco seems to be ready to go so I'll have to revert to reviewer instead of the lead. sorry!
…On Sat, Dec 14, 2019 at 2:28 PM Ashutosh Narkar ***@***.***> wrote:
Sure @JustinCappos <https://github.com/JustinCappos>, I would be happy to
be a reviewer.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#307>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGENIQXJ2SF67Q4VMI4AP3QYVMXZANCNFSM4JZT4WLQ>
.
|
|
Okay, I'll let @ultrasaurus weigh in on priorities, likely after getting TOC guidance. |
|
thank you - wait, isn't Falco already a sandbox project? In which case, haven't they already gone through some assessment? Just curious - what is the bar to becoming a sandbox project? - @ultrasaurus |
|
Falco did a code audit via the TOC before this SIG had established any
assessment process. The idea though is that the SIG assessment would be
complimentary to, and not a substitute for, a code audit (or operational
pen test, or in situ vulnerability assessment, etc).
As Sarah and others have articulated elsewhere, the scope of the SIG
assessment is more around threat model, default secure configuration
options, and project team capabilities and values to maintain secure design
and implementation practices over time....rather than a snapshot
point-in-time audit. Or at least that’s how I see it.
Falco still has yet to complete the SIG assessment. OPA was already sandbox
when they underwent this SIG assessment process. You can discuss with them
the perceived or actual benefits of the process, and overall feedback. I
presume they would also have some suggestions on how to efficiently
complete the process, too.
The sig assessment is not current a requirement for any CNCF milestone.
That is under discussion with the TOC as I understand. Some of us (at
least one of us ;) think it should be, or at the very least accelerate
acceptance or focus resources on those who do voluntarily complete it,
especially security-oriented projects.
…On Sun, Dec 15, 2019 at 7:22 AM John Mark ***@***.***> wrote:
thank you - wait, isn't Falco already a sandbox project? In which case,
haven't they already gone through some assessment?
Just curious - what is the bar to becoming a sandbox project? -
@ultrasaurus <https://github.com/ultrasaurus>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#307>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGENIRIGHXTUF4U4EYMT2LQYZDT3ANCNFSM4JZT4WLQ>
.
|
|
Thank you for the context - that is helpful. |
|
as reviewer here is my conflict declaration: Hard conflicts: Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO |
|
I'm open to be a reviewer as well, although I would not be able to be lead due to a soft conflict. Hard conflicts: Soft conflicts: |
|
@ericavonb I think was maybe willing/able to volunteer as lead, and I said I'd help her through the process...that was discussed pre-holidays on the last Policy WG call, so not sure if she has had time to reconsider and run away (Monty Python skit comes to mind ;) ) |
|
I'm open to be a reviewer. Here is my conflict declaration: Hard conflicts: Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO |
|
Hard conflicts: Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO |
|
We need a lead reviewer. @ericavonb Would you be willing to take on this role? |
|
@JustinCappos we discussed at the last sig-security meeting that it would be best if someone who was on a previous security review could take the lead. Wdyt? |
|
That only really leaves @ashutosh-narkar, I think. Ash, are you willing to do this? |
|
Hello @JustinCappos, I would like to get some experience in the reviewer role before leading a review. I would more comfortable leading the next one. Hope that's fine. |
|
Okay. @ericavonb , I'd be happy to have you lead this. I understand the concern about not having done this, but you can rely on @rficcaglia, @ultrasaurus, and me to help out if you have questions / problems. Are you comfortable taking the lead role with us supporting? |
|
Yes I’m definitely happy to help!
…On Fri, Jan 17, 2020 at 8:59 AM Justin Cappos ***@***.***> wrote:
Okay. @ericavonb <https://github.com/ericavonb> , I'd be happy to have
you lead this. I understand the concern about not having done this, but you
can rely on @rficcaglia <https://github.com/rficcaglia>, @ultrasaurus
<https://github.com/ultrasaurus>, and me to help out if you have
questions / problems. Are you comfortable taking the lead role with us
supporting?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#307>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGENIUYLJ6VOGDT23ESPCDQ6HBWBANCNFSM4JZT4WLQ>
.
|
|
I think it is important to have someone in the lead role who run the process before -- from a SIG-Security perspective, we're not just working on this assessment. We're also testing the process. (This will be # 5 of our FIRST FIVE #167). Of our experienced reviewers, @rficcaglia is leading Falco, @lumjjb is leading SPIFFE/SPIRE. looping in @justincormack to see if he might be open to leading this one. |
|
Hard conflicts: Reviewer is a maintainer of the project - NO Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO |
|
Hard conflicts: Reviewer is a maintainer of the project - NO Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO |
|
I could lead this, and mentor @ericavonb if that works better. |
Great! @justincormack Would you kindly post your conflict statement? |
|
Hard conflicts: Soft conflicts: |
|
one more - as reviewer here is my conflict declaration: Hard conflicts: Soft conflicts: |
|
/assign @lumjjb |
|
Hard conflicts: Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO -Matthew |
|
Hi All! So the Doodle poll best option was tomorrow (Tues) Jul 13 7:00 AM- 7:30 AM Pacific...unfortunately not everyone could make it, but, the next best option was the 7:30AM-8AM Pacific slot so I will stay on the line for the full hour and merge in everyone's feedback. Join the usual TAG zoom |
|
Good day, I'll bring this up during tomorrow's general meeting, but in the meantime: Calling for reviewers :) We could especially use some eyes on the "Threat Model" section. Document link/bookmark: https://docs.google.com/document/d/1IbrFNz2lIICema0NfF27HflzsMcTQGxH22SubLUM47I/edit#bookmark=id.1ci93xb Thank you! |
|
Hi @IAXES , @rficcaglia , trying to understand the ask for reviewers, is this an issue of too big a scope, and we need more reviewers, or do we need a reviewer with a specific expertise/skillset? Tagging @rohitkhare |
|
mostly more bodies :) right now it is just Matthew and Chase and myself.
having another set of eyes, or two, especially from more kubernetes
operators or non-AWS operators would be ideal.
…On Wed, Jul 28, 2021 at 10:45 AM Brandon Lum ***@***.***> wrote:
Hi @IAXES <https://github.com/IAXES> , @rficcaglia
<https://github.com/rficcaglia> , trying to understand the ask for
reviewers, is this an issue of too big a scope, and we need more reviewers,
or do we need a reviewer with a specific expertise/skillset?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#307 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQWTGFD6VKCGNYOIZ5WAAN3T2A62XANCNFSM4JZT4WLQ>
.
|
|
Hmm, based on the issue history, looks like a ton of reviewers expressed interest early in the year, lets reach out to them |
|
I'll schedule time to deep dive on it next week, apologies for my tardiness. If there is a particular area requiring explicit attention please make me aware |
|
the recorded Zoom session from yesterday was a good start on the threat
model - but definitely AWS specific - would be nice to have Azure or GCP -
and ideally Kube.
…On Wed, Jul 28, 2021 at 11:01 AM Matthew Giassa ***@***.***> wrote:
I'll schedule time to deep dive on it next week, apologies for my
tardiness. If there is a particular area requiring explicit attention
please make me aware
The "Threat Model" section (IIRC) could use a broad perspective from
multiple reviewers.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#307 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AQWTGFDUXRMDIAGRW3BFPTTT2BAY7ANCNFSM4JZT4WLQ>
.
|
|
Checking in here on a status, would someone update the issue and resolve the outstanding items on #786? |
|
We (c7n) owe Robert some updates to the assessment, we've prioritized getting this to him as soon as we can. |
I believe we also need the final/canonical copy of the self-assessment document (in markdown format). |
|
I sign off on conflicts declaration statements (for co-chair sign-off), with updated participants from the one initially done couple months ago. |
|
This issue has been automatically marked as inactive because it has not had recent activity. |
|
Can we close this issue ? cc @sunstonesecure-robert @lumjjb |
Project Name: Cloud Custodian
Github URL: https://github.com/cloud-custodian/cloud-custodian
Security Provider: yes, although its often used independently from security concerns, for many users its part of their security tooling.
older self-assessment document
The text was updated successfully, but these errors were encountered: