Skip to content

docs: add security review program guidelines#4481

Open
ParthSinghPS wants to merge 1 commit into
hyperledger-cacti:mainfrom
ParthSinghPS:docs-security-guidelines
Open

docs: add security review program guidelines#4481
ParthSinghPS wants to merge 1 commit into
hyperledger-cacti:mainfrom
ParthSinghPS:docs-security-guidelines

Conversation

@ParthSinghPS

Copy link
Copy Markdown
Member

This PR supersedes and replaces #4265.

As discussed in the original PR's review by @VRamakrishna and @RafaelAPB, this PR updates the title and description to clarify that it introduces a set of guidelines for carrying out security reviews, rather than executing the actual review itself.

The original 'Fixes #4036' tag has been intentionally removed, as this PR provides supplementary documentation rather than closing the issue.

This PR supersedes and replaces hyperledger-cacti#4265.

As discussed in the original PR's review by @VRamakrishna and @RafaelAPB,
this PR updates the title and description to clarify that it introduces a
set of guidelines for carrying out security reviews, rather than
executing the actual review itself.

The original 'Fixes hyperledger-cacti#4036' tag has been intentionally removed, as this
PR provides supplementary documentation rather than closing the issue.

Co-authored-by: malsomesh9 <malsomesh9@gmail.com>
Signed-off-by: ParthSinghPS <posiedon.1721@gmail.com>
@@ -0,0 +1,190 @@
Security Review Program
======================================================

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please follow the formatting of other docs - use ---- (markdown native separator)

- The package has recently changed dependencies, network surfaces, or
serialization boundaries.

Initial target classes:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be removed as all code is possible to be reviewed

The review is complete when maintainers can point to the review artifacts and
the follow-up issues that track accepted remediation work.

## Target Package Selection

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be removed as all code is possible to be reviewed

8. Close the tracking issue only after the checklist and remediation backlog are
linked from the issue.

## Automated SCA

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The automated processes should be left out of the current document. The security review program focuses on security findings by the community.

- Persistence packages.
- Cross-network messaging and interoperability packages.

## Review Workflow

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need to polish this. In particular a new contributor does not have the ability to add tags to issues;

- Reviewer(s):
- Date:

## Assets

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would remove the assets section and add a target parameter to the scope section

- Filesystem paths:
- External service calls:

## Trust Boundaries

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trust boundaries should be more aligned with our stack, we need to revisit

- Container boundary:
- Browser to backend:

## Threats

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have the parameters as a template eg
<Spoofing, ETC>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: comprehensive security review program

2 participants