1.4 KiB
1.4 KiB
Threat Analyis Todo
Needed
- page saying what TAs have been done, and havent.
- Etherpad template for review tracking
- process
- Improve documentation around context for OpenStack deployments, namely that they reflect best practice, and the documentation shoud explain what to do when things can be changed.
- Add information on filling in interfaces table from diagram.
- Remove U-C, O-C, I-C guidance
- Add guidance that explains the importance of paying special attention to interfaces that cross trust boundaries
- Reviewer to build sequence diagrams in real time during the review
- Document how we assess a third party review to be in line with our key security assertions. I think perhaps we need a mapping table or something.
- Should we prioritise assets.
- Data assets should be listed in the architecture page before the review.
- Figure out how to protect etherpad contents while retaining ability to share and collaboratively edit it.
- Add 'review CIA for data assets to process'
- change 'review CIA for each interface' to ' 'review CIA for each interface that crosses a security domain or each interface that doesn't use TLS'
- Best practice for each type of asset connection
- Document what a trust boundary is
- Document what an asset is. Config file? elements within a config file?
- Documnet what level of detail we want for external dependencies and give examples.