tag-security icon indicating copy to clipboard operation
tag-security copied to clipboard

Published 20 hours ago verified publisher icon cncf

[Security Review] Hexa Policy Orchestration

Open ggebel opened this issue 2 years ago • 11 comments

Project Name: Hexa Policy Orchestration

Github URL: https://github.com/hexa-org

CNCF project stage and issue (NA if not applicable): NA, pre-sandbox submission

Security Provider: yes/no (e.g. Is the primary function of the project to support the security of an integrating system?) Yes

  • [ ] Identify team
    • [x] Project security lead @ggebel
    • [x] Lead security reviewer @JustinCappos
    • [ ] 1 or more additional reviewer(s)
    • [ ] Every reviewer has read security reviewer guidelines and stated declaration of conflict
    • [ ] Sign off by 2 chairs on reviewer conflicts
  • [ ] Create slack channel (e.g. #sec-assess-projectname)
  • [x] Project lead provides draft document - self assessment
  • [ ] "Naive question phase" Lead Security Reviewer asks clarifying questions
  • [ ] Assign issue to security reviewers
  • [ ] Initial review
  • [ ] Presentation & discussion
  • [ ] Share draft findings with project
  • [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
  • [ ] CNCF TOC presentation (if requested by TOC)

ggebel avatar Jul 13 '22 22:07 ggebel

First draft of self assessment Hexa self assessment.pdf

ggebel avatar Jul 21 '22 22:07 ggebel

This issue has been automatically marked as inactive because it has not had recent activity.

stale[bot] avatar Sep 21 '22 04:09 stale[bot]

Thank you for sending this self assessment. Can you give a copy in Google Doc format so it is easy for us to comment on it?

Also, given the project is pre-sandbox, it may take a little time to get a team together from our side to assess this. Please feel free to ping us to ask about this if you do not hear back in a reasonable timeframe.

JustinCappos avatar Jul 07 '23 15:07 JustinCappos

Hi @JustinCappos, here you go: https://docs.google.com/document/d/1gHGIAqWfpNnu5b35F5qJgszJT4DUnUszsisIKTABU6c/edit?usp=sharing

ggebel avatar Jul 07 '23 18:07 ggebel

Okay, thanks!

@ggebel Will you act as the project security lead?

JustinCappos avatar Jul 07 '23 20:07 JustinCappos

Yes, @JustinCappos , I will act as security lead and bring in others as necessary

ggebel avatar Jul 10 '23 15:07 ggebel

Yes, @JustinCappos , I will act as security lead and bring in others as necessary

Okay, thanks. I added you above.

JustinCappos avatar Jul 10 '23 20:07 JustinCappos

This issue has been automatically marked as inactive because it has not had recent activity.

stale[bot] avatar Sep 17 '23 01:09 stale[bot]

I'm marking myself as lead reviewer. (I'm open to playing a different role if someone else wants to volunteer.)

I'll try to recruit other reviewers in the meeting this week. @ggebel , do you have cycles in the next month or so?

JustinCappos avatar Sep 17 '23 04:09 JustinCappos

Hi @JustinCappos - I should be able to make the call this week. Yes, I can make some time for discussions in the next month+. However, note that we are making some changes to the next version so I'm not sure if you want to wait for that work to complete or to get the first assessment completed sooner

ggebel avatar Sep 18 '23 21:09 ggebel

I think that waiting may be better. Just give us a heads up when the next version is out and the self assessment is being revised. I can get a team together then.

JustinCappos avatar Sep 21 '23 13:09 JustinCappos