Difference between revisions of "Project Proposals/SRT"

From fd.io
Jump to: navigation, search
(Created page with "{{Project_Proposals/Template}}")
 
 
(38 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Project_Proposals/Template}}
+
 
 +
 
 +
[[Category:Project Proposal]]
 +
<!-- Please note: fd.io code is to be licensed under the Apache 2.0 license unless an exception is approved by the board -->
 +
 
 +
== Name ==
 +
Security Response Team
 +
 
 +
== Project Contact Name and Email ==
 +
Andi Rowley <andi.rowley@c9h.org>
 +
 
 +
== Repository Name ==
 +
srt
 +
<!-- Project Repository Name, should be:
 +
    i. Lower case
 +
    ii. Short
 +
    iii. Suitable for use as a C identifier
 +
-->
 +
 
 +
== Description ==
 +
Key security activities performed by the SRT include: 
 +
 
 +
* Conduct the risk assessment and use the results to supplement the base line security controls;
 +
 
 +
* Analyze security requirements;     
 +
 
 +
* Perform functional and security testing;
 +
 
 +
* Prepare initial documents for system certification and accreditation; and
 +
 
 +
* Design security architecture.
 +
 
 +
* Maintain CPE registrations with the NIST on behalf of all FD.io projects
 +
 
 +
* Monitor National Vulnerability Database for issues which may apply to CPEs registered by FD.io
 +
 
 +
<!-->Although this section presents the information security components in a sequential top-down manner, the order of completion is not necessarily fixed. Security analysis of complex systems will need to be iterated until consistency and completeness is achieved.
 +
-->
 +
 
 +
== Scope ==
 +
 
 +
The scope of this project includes
 +
 
 +
* Security aspects of SDLC
 +
* Development and maintenance of security response SOPs
 +
* Development and Management of security policy documents
 +
* NIST CPEs
 +
 
 +
== Initial Committers ==
 +
 
 +
{|
 +
!Name!!Email!!IRC nick!!LFID
 +
|-
 +
|C.J. Collier||cjcollier@linuxfoundation.org||cj||cjcollier
 +
|-
 +
|Andi Rowley||andi.rowley@c9h.org||human_||arowley
 +
|}
 +
 
 +
<!-- A list of the name/email/IRC nick of the initial project committers
 +
 
 +
 +
 +
IMPORTANT:  Committers should be people who will actually write code, being a committer is an actual commitment of time.  Please also note that committerness is an individual trait.  If a committer changes employers, they remain a committer.  New committers arise via meritocracy after the project is created, this typically involves some time of establishing history of meritocractic code contribution to the project..  Therefore, it is crucial that a committer is committed to ongoing work on the project in the longer term, not just short term.  For more information on how committers are added after project creation see:
 +
https://fd.io/sites/cpstandard/files/pages/files/exhibit_c_-_fd.io_technical_community_charter.pdf section 3.2.2.1.
 +
 
 +
-->
 +
 
 +
== Vendor Neutral ==
 +
<!--
 +
The goal here is to capture the degree of vendor neutrality of the code.
 +
The concerns are two fold: avoiding trademark issues, and maintaining openness.
 +
 
 +
For this reason, use of vendor names should be purely functional, and only if necessary to
 +
reasonably communicate functional information to the user.
 +
 
 +
Acceptable Examples:
 +
Indicating the presence of particular hardware
 +
Indicating drivers for particular hardware
 +
Indicating integration with particular technologies.
 +
 
 +
Unacceptable Examples:
 +
Use of vendor trademarks or product names purely for marketing purposes.
 +
 
 +
Please describe any such issues here.
 +
-->
 +
 
 +
No issue regarding vendor neutrality.
 +
 
 +
== Meets Board Policy (including IPR, being within Board defined Scope etc) ==
 +
 
 +
Meets board policy as expressed in [https://fd.io/sites/cpstandard/files/pages/files/exhibit_c_-_fd.io_technical_community_charter.pdf Technical Community Charter] and [https://fd.io/sites/cpstandard/files/pages/files/exhibit_b_-_fd.io_ip_policy.pdf IP Policy]
 +
 
 +
== Administrata ==
 +
* Request for Project proposal consideration
 +
** [https://lists.fd.io/pipermail/tsc/2016-July/000207.html Email ]
 +
** Date: July 25th 2016
 +
 
 +
== External links ==
 +
 
 +
* http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf
 +
* https://nvd.nist.gov/cpe.cfm
 +
* https://web.nvd.nist.gov/view/vuln/search
 +
* https://wiki.debian.org/Teams/Security

Latest revision as of 17:15, 13 August 2016


Name

Security Response Team

Project Contact Name and Email

Andi Rowley <andi.rowley@c9h.org>

Repository Name

srt

Description

Key security activities performed by the SRT include:

  • Conduct the risk assessment and use the results to supplement the base line security controls;
  • Analyze security requirements;
  • Perform functional and security testing;
  • Prepare initial documents for system certification and accreditation; and
  • Design security architecture.
  • Maintain CPE registrations with the NIST on behalf of all FD.io projects
  • Monitor National Vulnerability Database for issues which may apply to CPEs registered by FD.io


Scope

The scope of this project includes

  • Security aspects of SDLC
  • Development and maintenance of security response SOPs
  • Development and Management of security policy documents
  • NIST CPEs

Initial Committers

Name Email IRC nick LFID
C.J. Collier cjcollier@linuxfoundation.org cj cjcollier
Andi Rowley andi.rowley@c9h.org human_ arowley


Vendor Neutral

No issue regarding vendor neutrality.

Meets Board Policy (including IPR, being within Board defined Scope etc)

Meets board policy as expressed in Technical Community Charter and IP Policy

Administrata

  • Request for Project proposal consideration

External links

Retrieved from "https://wiki.fd.io/index.php?title=Project_Proposals/SRT&oldid=2480"