Re: Question about action required from SIG-Security for OPA graduation


Chris Aniszczyk
 

All we mention in the graduation criteria is "Have completed an independent and third party security audit with results published of similar scope and quality as the following example (including critical vulnerabilities addressed): https://github.com/envoyproxy/envoy#security-audit and all critical vulnerabilities need to be addressed before graduation"

Which OPA has: https://github.com/open-policy-agent/opa#security-audit (they ALSO did an updated security audit for Gatekeeper which I don't see published yet, maybe Torin can follow up where this is). What isn't addressed is how recent that security audit should be, right now that seems to be at TOC discretion like other things, we could try to codify that you need to have a recent security audit within 2 years.

On Tue, Jul 21, 2020 at 11:53 PM Quinton Hoole <quinton@...> wrote:
Chris, does the CNCF have an external security assessment done before graduation?

On Tue, Jul 21, 2020, 13:02 Chris Aniszczyk <caniszczyk@...> wrote:
A simple invite for SIG Security to comment on your graduation proposal is sufficient based on the previous due diligence... "any concerns from incubation DD in addition to the standard graduation requirements"

I don't see a public graduation proposal from you yet so I'd get that out and invite the SIG to formally comment.

Hope that helps, but note the discretion lies with the TOC at the end of the day.



On Mon, Jul 20, 2020 at 10:53 AM Torin Sandall via lists.cncf.io <torin=styra.com@...> wrote:
Hello TOC,

Hopefully this is an easy question to answer 😅

Background:

- We're in the process of preparing a proposal for OPA to graduate from Incubation. As part of the process, we're putting together a due diligence document for review. We'll be able to share that soon.

- SIG-Security completed an assessment of OPA in October 2019: https://github.com/cncf/sig-security/pull/275. The assessment yielded useful feedback that has since been addressed. There haven't been any significant (design or architectural) changes to the project since the assessment (nor are there any planned).

The question to the TOC:

- What action is required from SIG-Security in the context of OPA's graduation process given they completed the assessment of OPA in October 2019?

Any guidance would be appreciated.

Thanks!

-Torin



--
Chris Aniszczyk (@cra) | +1-512-961-6719



--
Chris Aniszczyk (@cra) | +1-512-961-6719

Join cncf-toc@lists.cncf.io to automatically receive all group messages.