Skip to content

Commit

Permalink
Security TRG
Browse files Browse the repository at this point in the history
This PR brings enhancement to the existing TRG with a new addition of TRG 8.0 for Security specific topics.
  • Loading branch information
klaudiaZF authored Feb 9, 2024
1 parent 8499c1e commit 2f130c7
Show file tree
Hide file tree
Showing 6 changed files with 131 additions and 0 deletions.
37 changes: 37 additions & 0 deletions docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
title: TRG 8.01 - Security Scanning Toolchain
---

| Status | Created | Post-History |
|--------|-------------|--------------------------------------|
| Active | 14-Feb-2024 | Initial release |

## Why

Our primary aim is to improve security and define best practices across the Tractus-X ecosystem.

## Description

A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond.

### Benefits of Security Scanning Toolchain

- Reduced risk of security breaches
- Improved compliance posture
- Increased confidence in the security of software applications
- Lower costs associated with security incidents.

## Tools that we’re using

- **SAST**: open-source: CodeQL,Snyk,commercial: Veracode
- **SCA**: open-source: Snyk, commercial: Veracode
- **DAST**: open-source: Owasp ZAP, commercial: Invicti
- **IaC**: open-source: KICS
- **Secret Scanning**: open-source: GitGuardian
- **Container Scanner**: open-source: Trivy

:::info

For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-tooling.md) page.

:::
54 changes: 54 additions & 0 deletions docs/release/trg-8/TRG 8.02 Security Assessment Process.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
title: TRG 8.02 Security Assessment Process
---

| Status | Created | Post-History |
|--------|-------------|--------------------------------------|
| Active | 14-Feb-2024 | Initial release |

## Why

Our primary aim is to improve security and define best practices across the Tractus-X ecosystem.
Our security assessment process, based on threat modeling, is meticulously designed to safeguard your applications and products against potential vulnerabilities and cyber threats.

## Description

Our security assessment process is an in-depth analysis that evaluates your applications and products security posture. This process is integral to identifying and mitigating risks before they become critical issues.

:::tip

Check out our [Security Assessment Template](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment-template.md).

:::

## Key Features of Our Security Assessment Process

### Early Detection

- We identify potential security threats early in the development lifecycle, reducing the risk of future exploits.

### Comprehensive Analysis

- Our process includes a detailed examination of business processes, application architecture, implemented security controls, and maintenance requirements.

### Tailored to Your Needs

- Whether assessing a new application or revisiting an existing one, already reviewed, our approach is adaptable to suit your specific requirements.

### Continuous Improvement

- We believe in evolving our assessment process to stay ahead of emerging threats, ensuring your application's security is robust and up-to-date.

## Phases of the Security Assessment Process

1. **Kickoff and Scope Definition**: We begin by defining the scope and gathering essential information about the application, whether it's a new project or an ongoing one.
2. **Information Gathering**: Our team collects detailed information about application interactions, interfaces, and existing security controls.
3. **Data Flow Analysis**: We create data flow diagrams to visualize and assess how information moves within your product.
4. **Vulnerability Identification**: Using our expertise, we identify potential vulnerabilities within your application's architecture, based on customized STRIDE methodology.
5. **Reporting**: We compile a comprehensive report detailing the identified vulnerabilities, potential risks, and recommended mitigation strategies.

:::info

For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment.md) page.

:::
37 changes: 37 additions & 0 deletions docs/release/trg-8/TRG 8.03 Security Support.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
---
title: TRG 8.03 Security Support
---

| Status | Created | Post-History |
|--------|-------------|--------------------------------------|
| Active | 14-Feb-2024 | Initial release |

## Why

Reporting security issue is essential for enhancing security, mitigating risks and safeguarding users. It ensures prompt identification and resolution, fostering continuous improvement and maintaining trust in systems.

## Description

This page contains information on initiating requests for Security Assessment, Security Tooling Support, Tractus-X OSS Tool Membership and report a security vulnerability. It also addresses procedures related to Ask the community for help and Enhance documentation.

## How to Create an Issue

**Step 1:** Go to the "sig-security" repository [GitHub](https://github.com/eclipse-tractusx/sig-security).

**Step 2:** Click Issues tab and then click New issue.

![Chart Releaser Action](assets/trg-8-create-an-issue.PNG)

**Step 3:** Click on either "Get Started" or "Report a Vulnerability" or "Open" as per the specific request shown below.

![Chart Releaser Action](assets/trg-8-get-started.PNG)

**Step 4:** Fill out the form with necessary information and attach the required documents.

**Step 5:** You can click on "Preview" to see how the description looks like and When you're done, click "Submit new issue".

:::info

If you're a project maintainer, you can assign the issue to someone, add it to a project, associate it with a milestone, or apply a label.

:::
3 changes: 3 additions & 0 deletions docs/release/trg-8/_category_.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{
"label": "TRG 8 - Security"
}
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/release/trg-8/assets/trg-8-get-started.PNG
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 2f130c7

Please sign in to comment.