[Required] Document Security Self-Assessment.

[avishnu]

Security Self-Assessment

[niladrih]

This is a list of requirements for preparing the self-assessment document:

• A deployment diagram for OpenEBS with key components/services outlined.
• Categorize deployed into logical 'actors' in the system, e.g. LocalPV-Hostpath control-plane, Replicated PV Mayastor control-plane, Replicated PV Mayastor data-plane.
• Code
  • Identify all instances of authorization and authentication, e.g. RBAC
  • Identify all instances of network communication
  • Identify instances of interaction with the kube-apiserver
  • Identify instances of data integrity checks, e.g. checksums
  • Specify presence/absence of TLS/IPsec
  • Identify possibilities of unauthorized code execution
  • Environment visibility of API keys, etc.
• Dev practices
  • Validating changes
  • Requirements for commit merge
  • Vulnerability scan
  • Code coverage
  • Lint
• Communication channels
• Known/Resolved security issues
• Issue resolution strategy
• Build a Threat Model
  • Determine what needs to be protected.
  • Use frameworks like STRIDE to identify threats for each component.
  • Evaluate the likelihood and potential impact of each threat.
  • Implement controls to mitigate or prevent threats.
  • Test the threat model and update it as the system evolves.
  • e.g.: https://github.com/cncf/tag-security/blob/main/community/assessments/projects/longhorn/threat-model.md

[niladrih]

Our response:

https://github.com/openebs/community/blob/develop/security/self-assessment.md