diff --git a/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md b/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md new file mode 100644 index 00000000000..3e1a695d682 --- /dev/null +++ b/docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md @@ -0,0 +1,37 @@ +--- +title: TRG 8.01 - Security Scanning Toolchain +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 14-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. + +## Description + +A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond. + +### Benefits of Security Scanning Toolchain + +- Reduced risk of security breaches +- Improved compliance posture +- Increased confidence in the security of software applications +- Lower costs associated with security incidents. + +## Tools that we’re using + +- **SAST**: open-source: CodeQL,Snyk,commercial: Veracode +- **SCA**: open-source: Snyk, commercial: Veracode +- **DAST**: open-source: Owasp ZAP, commercial: Invicti +- **IaC**: open-source: KICS +- **Secret Scanning**: open-source: GitGuardian +- **Container Scanner**: open-source: Trivy + +:::info + +For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-tooling.md) page. + +::: \ No newline at end of file diff --git a/docs/release/trg-8/TRG 8.02 Security Assessment Process.md b/docs/release/trg-8/TRG 8.02 Security Assessment Process.md new file mode 100644 index 00000000000..70b35fcb0ef --- /dev/null +++ b/docs/release/trg-8/TRG 8.02 Security Assessment Process.md @@ -0,0 +1,54 @@ +--- +title: TRG 8.02 Security Assessment Process +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 14-Feb-2024 | Initial release | + +## Why + +Our primary aim is to improve security and define best practices across the Tractus-X ecosystem. +Our security assessment process, based on threat modeling, is meticulously designed to safeguard your applications and products against potential vulnerabilities and cyber threats. + +## Description + +Our security assessment process is an in-depth analysis that evaluates your applications and products security posture. This process is integral to identifying and mitigating risks before they become critical issues. + +:::tip + +Check out our [Security Assessment Template](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment-template.md). + +::: + +## Key Features of Our Security Assessment Process + +### Early Detection + +- We identify potential security threats early in the development lifecycle, reducing the risk of future exploits. + +### Comprehensive Analysis + +- Our process includes a detailed examination of business processes, application architecture, implemented security controls, and maintenance requirements. + +### Tailored to Your Needs + +- Whether assessing a new application or revisiting an existing one, already reviewed, our approach is adaptable to suit your specific requirements. + +### Continuous Improvement + +- We believe in evolving our assessment process to stay ahead of emerging threats, ensuring your application's security is robust and up-to-date. + +## Phases of the Security Assessment Process + +1. **Kickoff and Scope Definition**: We begin by defining the scope and gathering essential information about the application, whether it's a new project or an ongoing one. +2. **Information Gathering**: Our team collects detailed information about application interactions, interfaces, and existing security controls. +3. **Data Flow Analysis**: We create data flow diagrams to visualize and assess how information moves within your product. +4. **Vulnerability Identification**: Using our expertise, we identify potential vulnerabilities within your application's architecture, based on customized STRIDE methodology. +5. **Reporting**: We compile a comprehensive report detailing the identified vulnerabilities, potential risks, and recommended mitigation strategies. + +:::info + +For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment.md) page. + +::: \ No newline at end of file diff --git a/docs/release/trg-8/TRG 8.03 Security Support.md b/docs/release/trg-8/TRG 8.03 Security Support.md new file mode 100644 index 00000000000..5522d28166c --- /dev/null +++ b/docs/release/trg-8/TRG 8.03 Security Support.md @@ -0,0 +1,37 @@ +--- +title: TRG 8.03 Security Support +--- + +| Status | Created | Post-History | +|--------|-------------|--------------------------------------| +| Active | 14-Feb-2024 | Initial release | + +## Why + +Reporting security issue is essential for enhancing security, mitigating risks and safeguarding users. It ensures prompt identification and resolution, fostering continuous improvement and maintaining trust in systems. + +## Description + +This page contains information on initiating requests for Security Assessment, Security Tooling Support, Tractus-X OSS Tool Membership and report a security vulnerability. It also addresses procedures related to Ask the community for help and Enhance documentation. + +## How to Create an Issue + +**Step 1:** Go to the "sig-security" repository [GitHub](https://github.com/eclipse-tractusx/sig-security). + +**Step 2:** Click Issues tab and then click New issue. + +![Chart Releaser Action](assets/trg-8-create-an-issue.PNG) + +**Step 3:** Click on either "Get Started" or "Report a Vulnerability" or "Open" as per the specific request shown below. + +![Chart Releaser Action](assets/trg-8-get-started.PNG) + +**Step 4:** Fill out the form with necessary information and attach the required documents. + +**Step 5:** You can click on "Preview" to see how the description looks like and When you're done, click "Submit new issue". + +:::info + +If you're a project maintainer, you can assign the issue to someone, add it to a project, associate it with a milestone, or apply a label. + +::: \ No newline at end of file diff --git a/docs/release/trg-8/_category_.json b/docs/release/trg-8/_category_.json new file mode 100644 index 00000000000..4c9752e8a4b --- /dev/null +++ b/docs/release/trg-8/_category_.json @@ -0,0 +1,3 @@ +{ + "label": "TRG 8 - Security" +} diff --git a/docs/release/trg-8/assets/trg-8-create-an-issue.PNG b/docs/release/trg-8/assets/trg-8-create-an-issue.PNG new file mode 100644 index 00000000000..77f0013e7ce Binary files /dev/null and b/docs/release/trg-8/assets/trg-8-create-an-issue.PNG differ diff --git a/docs/release/trg-8/assets/trg-8-get-started.PNG b/docs/release/trg-8/assets/trg-8-get-started.PNG new file mode 100644 index 00000000000..46deb7f3251 Binary files /dev/null and b/docs/release/trg-8/assets/trg-8-get-started.PNG differ