security-review icon indicating copy to clipboard operation
security-review copied to clipboard
verified publisher icon elastisys

Formulate extensively in an answer-forcing manner, rather than open-ended questions

Open llarsson opened this issue 4 years ago • 2 comments

In as great an extent as possible, re-formulate the document into a "yes or no" manner (implying there could be checkboxes one could tick or not tick), rather than open-ended questions, or ones that ask "when did you last X", so that it forces the reader to answer truthfully and with data.

For instance, "Describe your access control system for Kubernetes?" is very open-ended. It would be better broken down into questions regarding whether there is an identity provider, if there is a clear policy regarding who gets what access, if RBAC is used, to enforce that policy, and so on.

It requires more thinking on our part, but helps the customer immensely to see the value we can help them achieve.

llarsson avatar Mar 15 '21 06:03 llarsson

Assigned @cristiklein instead, because currently has more time to take a stab at this.

llarsson avatar May 04 '21 11:05 llarsson

I have created the Cloud Information Security Review Checklist following the suggestions from this issue, however Kubernetes checklist still needs to be improved.

jakubkrzywda avatar Jun 28 '21 11:06 jakubkrzywda