Merge pull request #1 from klaudiaZF/klaudiaZF-patch-1

Security TRG

docs/release/trg-8/TRG 8.01 Security Scanning Toolchain.md

@@ -0,0 +1,37 @@
+---
+title: TRG 8.01 - Security Scanning Toolchain
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 14-Feb-2024 | Initial release                      |
+
+## Why
+
+Our primary aim is to improve security and define best practices across the Tractus-X ecosystem.
+
+## Description
+
+A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond.
+
+### Benefits of Security Scanning Toolchain
+
+- Reduced risk of security breaches
+- Improved compliance posture
+- Increased confidence in the security of software applications
+- Lower costs associated with security incidents.
+
+## Tools that we’re using
+
+- **SAST**: open-source: CodeQL,Snyk,commercial: Veracode
+- **SCA**: open-source: Snyk, commercial: Veracode
+- **DAST**: open-source: Owasp ZAP, commercial: Invicti
+- **IaC**: open-source: KICS
+- **Secret Scanning**: open-source: GitGuardian
+- **Container Scanner**: open-source: Trivy
+
+:::info
+
+For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-tooling.md) page.
+
+:::

docs/release/trg-8/TRG 8.02 Security Assessment Process.md

@@ -0,0 +1,54 @@
+---
+title: TRG 8.02 Security Assessment Process
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 14-Feb-2024 | Initial release                      |
+
+## Why
+
+Our primary aim is to improve security and define best practices across the Tractus-X ecosystem.
+Our security assessment process, based on threat modeling, is meticulously designed to safeguard your applications and products against potential vulnerabilities and cyber threats.
+
+## Description
+
+Our security assessment process is an in-depth analysis that evaluates your applications and products security posture. This process is integral to identifying and mitigating risks before they become critical issues.
+
+:::tip
+
+Check out our [Security Assessment Template](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment-template.md).
+
+:::
+
+## Key Features of Our Security Assessment Process
+
+### Early Detection
+
+- We identify potential security threats early in the development lifecycle, reducing the risk of future exploits.
+
+### Comprehensive Analysis
+
+- Our process includes a detailed examination of business processes, application architecture, implemented security controls, and maintenance requirements.
+
+### Tailored to Your Needs
+
+- Whether assessing a new application or revisiting an existing one, already reviewed, our approach is adaptable to suit your specific requirements.
+
+### Continuous Improvement
+
+- We believe in evolving our assessment process to stay ahead of emerging threats, ensuring your application's security is robust and up-to-date.
+
+## Phases of the Security Assessment Process
+
+1. **Kickoff and Scope Definition**: We begin by defining the scope and gathering essential information about the application, whether it's a new project or an ongoing one.
+2. **Information Gathering**: Our team collects detailed information about application interactions, interfaces, and existing security controls.
+3. **Data Flow Analysis**: We create data flow diagrams to visualize and assess how information moves within your product.
+4. **Vulnerability Identification**: Using our expertise, we identify potential vulnerabilities within your application's architecture, based on customized  STRIDE methodology.
+5. **Reporting**: We compile a comprehensive report detailing the identified vulnerabilities, potential risks, and recommended mitigation strategies.
+
+:::info
+
+For more detailed information please go to our [GitHub](https://github.com/eclipse-tractusx/sig-security/blob/main/security-assessment.md) page.
+
+:::

docs/release/trg-8/TRG 8.03 Security Support.md

@@ -0,0 +1,37 @@
+---
+title: TRG 8.03 Security Support
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 14-Feb-2024 | Initial release                      |
+
+## Why
+
+Reporting security issue is essential for enhancing security, mitigating risks and safeguarding users. It ensures prompt identification and resolution, fostering continuous improvement and maintaining trust in systems.
+
+## Description
+
+This page contains information on initiating requests for Security Assessment, Security Tooling Support, Tractus-X OSS Tool Membership and report a security vulnerability. It also addresses procedures related to Ask the community for help and Enhance documentation.
+
+## How to Create an Issue
+
+**Step 1:** Go to the "sig-security" repository [GitHub](https://github.com/eclipse-tractusx/sig-security).
+
+**Step 2:** Click Issues tab and then click New issue.
+
+![Chart Releaser Action](assets/trg-8-create-an-issue.PNG)
+
+**Step 3:** Click on either "Get Started" or "Report a Vulnerability" or "Open"  as per the specific request shown below.
+
+![Chart Releaser Action](assets/trg-8-get-started.PNG)
+
+**Step 4:** Fill out the form with necessary information and attach the required documents.
+
+**Step 5:** You can click on "Preview" to see how the description looks like and When you're done, click "Submit new issue".
+
+:::info
+
+If you're a project maintainer, you can assign the issue to someone, add it to a project, associate it with a milestone, or apply a label.
+
+:::

docs/release/trg-8/_category_.json

@@ -0,0 +1,3 @@
+{
+  "label": "TRG 8 - Security"
+}