Review existing frameworks wrt. cloud-native

[ficcaglia]

This has come up in the calls that referencing a standardized model and/or vocabulary might be useful. Here's a list of frameworks that we might consider in no particular order...none of these seems immediately applicable to CN projects, but can be mapped to CN or a derivative vocabulary/model can learn from these:

• MITRE ATT&CK
• Parkerian Hexad/CIA Triad
• Lockheed Martin Cyber Kill Chain®
• Microsoft STRIDE and/or DREAD
• CVSS
• Trike
• MIL-STD-882E
• OCTAVE
• VAST
• PASTA
• Others

[rficcaglia]

#20 might be relevant but that google doc is not available. perhaps someone with access can share?

[rficcaglia]

Also https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md#security

[rficcaglia]

I distilled the CII criteria down to a few worksheets that might be useful for the sig-security process.

https://docs.google.com/spreadsheets/d/1P0LFTCo1WxxU90J3HR0G7rXKqiTrHxd4yp2nbeMt9Vo/edit?usp=sharing

Note - I am not suggesting that this (or any such worksheet) be required ... I am publishing this to motivate discussion on how assessors might organize their assessment discussions. I hope this motivates discourse - at least at a high level - on how both project participants and security reviewers can consistently structure the discussion.

There are many other frameworks and I will attempt to create similar worksheets for those, then eventually hope to combine the concepts from all the frameworks into one consolidated worksheet for the group to review as a supplemental resource.

On previous calls there seems to be a concern about using "checklists" which might reduce the exercise to a cursory, mechanical review; but the goal here isn't to drive the process based solely on these worksheets. Instead it is meant to scaffold preparation.

[ficcaglia]

added dependencies to the worksheet based off:
https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/other.md#externally-maintained-components

[ultrasaurus]

thanks for writing this up @ficcaglia -- labelling so assessment team can easily find and reflect

[rficcaglia]

this one came up on the call today:
https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment

[rficcaglia]

how could I forget good ol' NIST:
https://nvd.nist.gov/800-53/Rev4

Certainly visiting each of these control families and asking a project how each would be impacted by the project, or how each applies (or not) to the scope of the assessment for each project.

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[lumjjb]

Relevant to #635, closing if additional scope not required.

[lumjjb]

@TheFoxAtWork
That looks more like threat modeling and less on controls
and we don’t exactly have a cloud native threat model… yet (not sure we should)

Seems like we will defer this issue, revisit when staleness hits again

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

Thanks for capturing this early on. We've carried out several initiatives and efforts in the past couple of years that map or translate these frameworks to the cloud native ecosystem. As such, and as it has been a few years, I'll be closing the issue to keep the issue tracker tidy. If you feel there is a particular framework we still need to get around to that you'd like to see happen, let's bring it up on the regular call or file a specific issue.