Added templates for security review notes and findings
Added templates to be used during security review. Change-Id: I25a84396fe2c8ec0fe8ba32b039295383997aa67
This commit is contained in:
parent
2d1d4a449d
commit
9722f9a9e6
@ -16,6 +16,8 @@ Contents
|
||||
objectives.rst
|
||||
threat-analysis-process.rst
|
||||
templates/architecture-page.rst
|
||||
templates/review-findings.rst
|
||||
templates/review-notes.rst
|
||||
architecture-diagram-guidance.rst
|
||||
todo.rst
|
||||
|
||||
|
@ -47,12 +47,8 @@ Differences from previous architecture
|
||||
If this is a revision of a prior architecture, briefly list the new components
|
||||
and interfaces. If this is a new architecture that replaces a prior service,
|
||||
briefly describe how this service differs from its ancestor. If this is an
|
||||
entirely new service with no precedent, then state only "This is a new service
|
||||
with no related prior solution".
|
||||
|
||||
For example:
|
||||
|
||||
- New OpenStack service added in Liberty.
|
||||
entirely new service with no precedent or one that has not been reviewed
|
||||
previously, then remove this section.
|
||||
|
||||
|
||||
External dependencies & associated security assumptions
|
||||
@ -73,20 +69,23 @@ For example:
|
||||
Components
|
||||
~~~~~~~~~~
|
||||
|
||||
In the component descriptions that follow, IC means that in a typical
|
||||
deployment,they reside in hosted instances on the cloud, and UC means they are
|
||||
likely to be in the under cloud infrastructure.
|
||||
In the component descriptions that follow, I-C means that in a typical
|
||||
deployment, they reside in hosted instances on the cloud, and U-C means they
|
||||
are likely to be in the under cloud infrastructure. O-C means they are outside
|
||||
of the cloud.
|
||||
|
||||
- component-1 (optional product/technology name)[IC or UC]: Describe component
|
||||
- component-2 [IC]: Describe component
|
||||
- component-3 [UC]: Describe component
|
||||
- component-1 (optional product/technology name)[I-C or U-C]: Describe
|
||||
component
|
||||
- component-2 [I-C]: Describe component
|
||||
- component-3 [U-C]: Describe component
|
||||
- component-3 [O-C]: Describe component or service
|
||||
|
||||
For Example:
|
||||
|
||||
- Worker Queue (rabbitmq) [UC]: This queue is used to process new order
|
||||
- Worker Queue (rabbitmq) [U-C]: This queue is used to process new order
|
||||
requests. Other systems involved submit and receive data via this queue.
|
||||
- Database (MySQL) [IC or UC]: Open-source sql database to store Barbican state
|
||||
data related to its managed entities and their metadata.
|
||||
- Database (MySQL) [I-C or U-C]: Open-source sql database to store Barbican
|
||||
state data related to its managed entities and their metadata.
|
||||
|
||||
|
||||
Interfaces
|
||||
|
@ -0,0 +1,75 @@
|
||||
=================================
|
||||
Security review findings template
|
||||
=================================
|
||||
|
||||
<Project name> security review findings - version/release
|
||||
=========================================================
|
||||
|
||||
**Status**: Draft/Completed
|
||||
|
||||
**Release**: Juno/Kilo/Liberty/Newton
|
||||
|
||||
**Version**: 0.01 if applicable
|
||||
|
||||
**Review Date**: mm/dd/yyyy
|
||||
|
||||
**Review Body**: <OpenStack Security Project/Name of Third Party Organisation >
|
||||
|
||||
**Contacts**:
|
||||
|
||||
- PTL: name - irc handle
|
||||
|
||||
- Architect: name - irc handle
|
||||
|
||||
- Security Reviewer: name - irc handle
|
||||
|
||||
- OpenStack Security Project Reviewer: <name> (only applicable for third party
|
||||
security reviews)
|
||||
|
||||
|
||||
1. Finding title
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- Risk: <Description of the Risk of this Finding>
|
||||
- Impact: <Description of the Impact of this risk>
|
||||
- Likelihood: <Low/Medium/High>
|
||||
- Impact: <Low/Medium/High>
|
||||
- Overall Risk Rating: <Low/Medium/High>
|
||||
- Bug: <link to launchpad bug for this finding>
|
||||
- Recommendation: <Description of the recommended resolution for this finding>
|
||||
- Investigation Results: <Results of any investigation into this finding, such
|
||||
as investigating and discovering this is a weakness in the core technology,
|
||||
find that there is already a blueprint or patch in to fix it, or that a bug
|
||||
should be opened for this>
|
||||
|
||||
|
||||
2. Finding title
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- Risk: <Description of the Risk of this Finding>
|
||||
- Impact: <Description of the Impact of this risk>
|
||||
- Likelihood: <Low/Medium/High>
|
||||
- Impact: <Low/Medium/High>
|
||||
- Overall Risk Rating: <Low/Medium/High>
|
||||
- Bug: <link to launchpad bug for this finding>
|
||||
- Recommendation: <Description of the recommended resolution for this finding>
|
||||
- Investigation Results: <Results of any investigation into this finding, such
|
||||
as investigating and discovering this is a weakness in the core technology,
|
||||
find that there is already a blueprint or patch in to fix it, or that a bug
|
||||
should be opened for this>
|
||||
|
||||
|
||||
3. Finding title
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
- Risk: <Description of the Risk of this Finding>
|
||||
- Impact: <Description of the Impact of this risk>
|
||||
- Likelihood: <Low/Medium/High>
|
||||
- Impact: <Low/Medium/High>
|
||||
- Overall Risk Rating: <Low/Medium/High>
|
||||
- Bug: <link to launchpad bug for this finding>
|
||||
- Recommendation: <Description of the recommended resolution for this finding>
|
||||
- Investigation Results: <Results of any investigation into this finding, such
|
||||
as investigating and discovering this is a weakness in the core technology,
|
||||
find that there is already a blueprint or patch in to fix it, or that a bug
|
||||
should be opened for this>
|
61
security-threat-analysis/source/templates/review-notes.rst
Normal file
61
security-threat-analysis/source/templates/review-notes.rst
Normal file
@ -0,0 +1,61 @@
|
||||
==============================
|
||||
Security review notes template
|
||||
==============================
|
||||
|
||||
<Project name> security review notes - <version/release>
|
||||
========================================================
|
||||
|
||||
**Status**: Draft/Completed
|
||||
|
||||
**Release**: Juno/Kilo/Liberty/Newton
|
||||
|
||||
**Version**: 0.01 if applicable
|
||||
|
||||
**Review Date**: mm/dd/yyyy
|
||||
|
||||
**Review Body**: <OpenStack Security Project/Name of Third Party Organisation >
|
||||
|
||||
**Contacts**:
|
||||
|
||||
- PTL: name - irc handle
|
||||
|
||||
- Architect: name - irc handle
|
||||
|
||||
- Security Reviewer: name - irc handle
|
||||
|
||||
**Reviewers**:
|
||||
|
||||
- <Project>: <reviewer names/handles>
|
||||
- <Security Review Body>: <reviewer names/handles>
|
||||
- OpenStack Security Project: <reviewer names/handles> (only applicable for
|
||||
third party reviews)
|
||||
|
||||
|
||||
Review
|
||||
~~~~~~
|
||||
|
||||
|
||||
Abuse cases
|
||||
-----------
|
||||
|
||||
- <abuse case>
|
||||
- <abuse case>
|
||||
|
||||
|
||||
Architectural diagram walkthrough
|
||||
---------------------------------
|
||||
|
||||
- notes
|
||||
|
||||
|
||||
Sequence/DFD diagram walkthrough
|
||||
--------------------------------
|
||||
|
||||
- notes
|
||||
|
||||
|
||||
Actions
|
||||
-------
|
||||
|
||||
1. action 1
|
||||
2. action 2
|
Loading…
Reference in New Issue
Block a user