Collecting Interest on the Development of Documenation of Common Expectations for Security Audits

[jkjell]

All security audits are not created equal. Many of the projects and products which request security audits, may not have deep security expertise. We'd like to help those requesters of Security Audits to better understand what they should expect from a Security Audit, to know what "good" looks like. The expectations will likely vary by the scope of work and amount of time allowed for the audit itself. Given those practical constraints, what's the most important thing to start with? What should be prioritized as time allows?

For additiontal background, here is some information about CNCF sponsored Security Audits for projects: https://contribute.cncf.io/resources/project-services/audits/

One of the first things to do will be to formalize the scope of the above and more properly define any of the terms I may have misused. ☺️

[JustinCappos]

I think that an org should really understand their threat model and attack surface first. This is at the heart of how to interpret the result on an audit.

Now, to be a little more biased, at least the threat modeling part is what CNCF's assessment process does. A self-assessment will help a project, but these are highly variable in quality. The joint-assessment process makes the quality quite high, but does take time and effort. This also helps both the project and the auditors know where to focus their effort / attention.

Once you have an audit, you need to maintain quality, etc. This largely comes from updating the assessment (or similar) while maintaining the best practices for secure development. These practices are largely covered by "baseline" (for some definition of that word). 😆