Difference between revisions of "Project Proposals/SRT"

From fd.io
Jump to: navigation, search
(Vendor Neutral)
 
(30 intermediate revisions by 2 users not shown)
Line 1: Line 1:
  
 
 
 
{{Project Facts
 
|name=deb_dpdk
 
|shortname=deb_dpdk
 
|jiraName=DEBDPDK
 
|projectLead=
 
|committers=
 
 
* C.J. Collier
 
* Andi Rowley
 
 
}}
 
  
 
[[Category:Project Proposal]]
 
[[Category:Project Proposal]]
Line 22: Line 8:
  
 
== Project Contact Name and Email ==
 
== Project Contact Name and Email ==
<!-- Name and email of the project contact -->
+
Andi Rowley <andi.rowley@c9h.org>
  
 
== Repository Name ==
 
== Repository Name ==
SRT
+
srt
 
<!-- Project Repository Name, should be:
 
<!-- Project Repository Name, should be:
 
     i. Lower case
 
     i. Lower case
Line 33: Line 19:
  
 
== Description ==
 
== Description ==
This section addresses security considerations unique to the second SDLC phase. Key security activities for this phase include:   
+
Key security activities performed by the SRT include:   
  
•Conduct the risk assessment and use the results to supplement the base
+
* Conduct the risk assessment and use the results to supplement the base line security controls;  
line security controls;  
+
  
•Analyze security requirements;       
+
* Analyze security requirements;       
  
•Perform functional and security testing;  
+
* Perform functional and security testing;  
  
•Prepare initial documents for system certification and accreditation; and  
+
* Prepare initial documents for system certification and accreditation; and  
  
•Design security architecture.  
+
* Design security architecture.
  
Although this section presents the information security components in a sequential top-down manner, the order of completion is not necessarily fixed. Security analysis of complex systems will need to be iterated until consistency and completeness is achieved.
+
* Maintain CPE registrations with the NIST on behalf of all FD.io projects
 +
 
 +
* Monitor National Vulnerability Database for issues which may apply to CPEs registered by FD.io
 +
 
 +
<!-->Although this section presents the information security components in a sequential top-down manner, the order of completion is not necessarily fixed. Security analysis of complex systems will need to be iterated until consistency and completeness is achieved.
 +
-->
  
 
== Scope ==
 
== Scope ==
<!-- Project scope.  The project scope should be well defined.  It should be possible from the scope to crisply answer whether something belongs or not within the scope of this particular project. Scopes should not be overly broad.  A Project scope must also lie within the overall scope set by the board for projects in fd.io:
 
    - IO
 
        – Hardware/vHardware <-> threads/cores
 
    - Processing
 
        - Classify
 
        - Transform
 
        - Prioritize
 
        - Forward
 
        - Terminate
 
    - Management Agents
 
        - Control/Manage IO/Processing
 
    - Supporting Projects
 
        - Testing/Tools/Infrastructure
 
        - Integration with other systems
 
  
CHAPTER ONE
+
The scope of this project includes
INTRODUCTION
+
Consideration of security in the System Development Life Cycle is essential to
+
implementing and integrating a comprehensive strategy for managing risk for all
+
information technology assets in an organization. The National Institute of Standards and
+
Technology (NIST) Special Publication (SP) 800-64 is intended to assist federal government
+
agencies to integrate essential security activities into their established system development life
+
cycle guidelines.  -->
+
  
The purpose of this guideline is to assist agencies in building security into their IT development
+
* Security aspects of SDLC
processes. This should result in more cost-effective, risk-appropriate security control
+
* Development and maintenance of security response SOPs
identification, development, and testing. This guide focuses on the information security
+
* Development and Management of security policy documents
components of the SDLC. Overall system implementation and development is considered outside
+
* NIST CPEs
the scope of this document.  Also considered outside scope is an organization’s information
+
system governance process. First, the guideline describes the key security roles and responsibilities that are needed in
+
development of most information systems. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC. 
+
The scope of this document is security activities that occur within a waterfall SDLC
+
methodology. It is intended that this could be translated into any other SDLC methodology that an agency may have adopted.
+
  
 
== Initial Committers ==
 
== Initial Committers ==
<!-- A list of the name/email/IRC nick of the initial project committers  
+
 
 +
{|
 +
!Name!!Email!!IRC nick!!LFID
 +
|-
 +
|C.J. Collier||cjcollier@linuxfoundation.org||cj||cjcollier
 +
|-
 +
|Andi Rowley||andi.rowley@c9h.org||human_||arowley
 +
|}
 +
 
 +
<!-- A list of the name/email/IRC nick of the initial project committers
 +
 
 +
 
   
 
   
 
IMPORTANT:  Committers should be people who will actually write code, being a committer is an actual commitment of time.  Please also note that committerness is an individual trait.  If a committer changes employers, they remain a committer.  New committers arise via meritocracy after the project is created, this typically involves some time of establishing history of meritocractic code contribution to the project..  Therefore, it is crucial that a committer is committed to ongoing work on the project in the longer term, not just short term.  For more information on how committers are added after project creation see:
 
IMPORTANT:  Committers should be people who will actually write code, being a committer is an actual commitment of time.  Please also note that committerness is an individual trait.  If a committer changes employers, they remain a committer.  New committers arise via meritocracy after the project is created, this typically involves some time of establishing history of meritocractic code contribution to the project..  Therefore, it is crucial that a committer is committed to ongoing work on the project in the longer term, not just short term.  For more information on how committers are added after project creation see:
Line 109: Line 84:
 
Please describe any such issues here.
 
Please describe any such issues here.
 
-->
 
-->
 +
 +
No issue regarding vendor neutrality.
  
 
== Meets Board Policy (including IPR, being within Board defined Scope etc) ==
 
== Meets Board Policy (including IPR, being within Board defined Scope etc) ==
Line 116: Line 93:
 
== Administrata ==
 
== Administrata ==
 
* Request for Project proposal consideration
 
* Request for Project proposal consideration
** Email: (place link to email to TSC proposing project, this can be obtained from [https://lists.fd.io/pipermail/tsc/ TSC Archives]
+
** [https://lists.fd.io/pipermail/tsc/2016-July/000207.html Email ]
** Date: (date proposed, makes it simpler to calculate the pre-requisite 2 week time period of gestation before being permitted to be voted on)
+
** Date: July 25th 2016
 +
 
 +
== External links ==
 +
 
 +
* http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64r2.pdf
 +
* https://nvd.nist.gov/cpe.cfm
 +
* https://web.nvd.nist.gov/view/vuln/search
 +
* https://wiki.debian.org/Teams/Security

Latest revision as of 17:15, 13 August 2016


Name

Security Response Team

Project Contact Name and Email

Andi Rowley <andi.rowley@c9h.org>

Repository Name

srt

Description

Key security activities performed by the SRT include:

  • Conduct the risk assessment and use the results to supplement the base line security controls;
  • Analyze security requirements;
  • Perform functional and security testing;
  • Prepare initial documents for system certification and accreditation; and
  • Design security architecture.
  • Maintain CPE registrations with the NIST on behalf of all FD.io projects
  • Monitor National Vulnerability Database for issues which may apply to CPEs registered by FD.io


Scope

The scope of this project includes

  • Security aspects of SDLC
  • Development and maintenance of security response SOPs
  • Development and Management of security policy documents
  • NIST CPEs

Initial Committers

Name Email IRC nick LFID
C.J. Collier cjcollier@linuxfoundation.org cj cjcollier
Andi Rowley andi.rowley@c9h.org human_ arowley


Vendor Neutral

No issue regarding vendor neutrality.

Meets Board Policy (including IPR, being within Board defined Scope etc)

Meets board policy as expressed in Technical Community Charter and IP Policy

Administrata

  • Request for Project proposal consideration

External links

Retrieved from "https://wiki.fd.io/index.php?title=Project_Proposals/SRT&oldid=2480"