-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This PR brings enhancement to the existing TRG with a new addition of TRG 8.0 for Security specific topics.
- Loading branch information
Showing
6 changed files
with
131 additions
and
0 deletions.
There are no files selected for viewing
37 changes: 37 additions & 0 deletions
37
docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
--- | ||
title: TRG 8.01 - Security Scanning Toolchain | ||
--- | ||
|
||
| Status | Created | Post-History | | ||
|--------|-------------|--------------------------------------| | ||
| Active | 14-Feb-2024 | Initial release | | ||
|
||
## Why | ||
|
||
Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. | ||
|
||
## Description | ||
|
||
A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. | ||
|
||
### Benefits of Security Scanning Toolchain | ||
|
||
- Reduced risk of security breaches | ||
- Improved compliance posture | ||
- Increased confidence in the security of software applications | ||
- Lower costs associated with security incidents. | ||
|
||
## Tools that we’re using | ||
|
||
- **SAST**: open-source: CodeQL,Snyk,commercial: Veracode | ||
- **SCA**: open-source: Snyk, commercial: Veracode | ||
- **DAST**: open-source: Owasp ZAP, commercial: Invicti | ||
- **IaC**: open-source: KICS | ||
- **Secret Scanning**: open-source: GitGuardian | ||
- **Container Scanner**: open-source: Trivy | ||
|
||
:::info | ||
|
||
For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-tooling.md) page. | ||
|
||
::: |
54 changes: 54 additions & 0 deletions
54
docs/release/trg-8/TRG 8.02 Security Assessment Process.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
--- | ||
title: TRG 8.02 Security Assessment Process | ||
--- | ||
|
||
| Status | Created | Post-History | | ||
|--------|-------------|--------------------------------------| | ||
| Active | 14-Feb-2024 | Initial release | | ||
|
||
## Why | ||
|
||
Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. | ||
Our security assessment process, based on threat modeling, is meticulously designed to safeguard your applications and products against potential vulnerabilities and cyber threats. | ||
|
||
## Description | ||
|
||
Our security assessment process is an in-depth analysis that evaluates your applications and products security posture. This process is integral to identifying and mitigating risks before they become critical issues. | ||
|
||
:::tip | ||
|
||
Check out our [Security Assessment Template](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment-template.md). | ||
|
||
::: | ||
|
||
## Key Features of Our Security Assessment Process | ||
|
||
### Early Detection | ||
|
||
- We identify potential security threats early in the development lifecycle, reducing the risk of future exploits. | ||
|
||
### Comprehensive Analysis | ||
|
||
- Our process includes a detailed examination of business processes, application architecture, implemented security controls, and maintenance requirements. | ||
|
||
### Tailored to Your Needs | ||
|
||
- Whether assessing a new application or revisiting an existing one, already reviewed, our approach is adaptable to suit your specific requirements. | ||
|
||
### Continuous Improvement | ||
|
||
- We believe in evolving our assessment process to stay ahead of emerging threats, ensuring your application's security is robust and up-to-date. | ||
|
||
## Phases of the Security Assessment Process | ||
|
||
1. **Kickoff and Scope Definition**: We begin by defining the scope and gathering essential information about the application, whether it's a new project or an ongoing one. | ||
2. **Information Gathering**: Our team collects detailed information about application interactions, interfaces, and existing security controls. | ||
3. **Data Flow Analysis**: We create data flow diagrams to visualize and assess how information moves within your product. | ||
4. **Vulnerability Identification**: Using our expertise, we identify potential vulnerabilities within your application's architecture, based on customized STRIDE methodology. | ||
5. **Reporting**: We compile a comprehensive report detailing the identified vulnerabilities, potential risks, and recommended mitigation strategies. | ||
|
||
:::info | ||
|
||
For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment.md) page. | ||
|
||
::: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
--- | ||
title: TRG 8.03 Security Support | ||
--- | ||
|
||
| Status | Created | Post-History | | ||
|--------|-------------|--------------------------------------| | ||
| Active | 14-Feb-2024 | Initial release | | ||
|
||
## Why | ||
|
||
Reporting security issue is essential for enhancing security, mitigating risks and safeguarding users. It ensures prompt identification and resolution, fostering continuous improvement and maintaining trust in systems. | ||
|
||
## Description | ||
|
||
This page contains information on initiating requests for Security Assessment, Security Tooling Support, Tractus-X OSS Tool Membership and report a security vulnerability. It also addresses procedures related to Ask the community for help and Enhance documentation. | ||
|
||
## How to Create an Issue | ||
|
||
**Step 1:** Go to the "sig-security" repository [GitHub](https://github.com/eclipse-tractusx/sig-security). | ||
|
||
**Step 2:** Click Issues tab and then click New issue. | ||
|
||
![Chart Releaser Action](assets/trg-8-create-an-issue.PNG) | ||
|
||
**Step 3:** Click on either "Get Started" or "Report a Vulnerability" or "Open" as per the specific request shown below. | ||
|
||
![Chart Releaser Action](assets/trg-8-get-started.PNG) | ||
|
||
**Step 4:** Fill out the form with necessary information and attach the required documents. | ||
|
||
**Step 5:** You can click on "Preview" to see how the description looks like and When you're done, click "Submit new issue". | ||
|
||
:::info | ||
|
||
If you're a project maintainer, you can assign the issue to someone, add it to a project, associate it with a milestone, or apply a label. | ||
|
||
::: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
{ | ||
"label": "TRG 8 - Security" | ||
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.