mellium
/
xmpp
9
8
Fork 6
Code Issues 54 Pull Requests 5 Releases 12 Activity

docs: add security assurance to security.md #294

New Issue
Open
opened 2022-05-31 14:36:27 +00:00 by SamWhited · 0 comments
SamWhited commented 2022-05-31 14:36:27 +00:00
Owner

The SECURITY.md file should contain an assurance that includes:

  • a description of the threat model,
  • clear identification of trust boundaries,
  • an argument that secure design principles have been applied,
  • and an argument that common implementation security weaknesses have been countered.

See also: "Software Assurance Using Structured Assurance Case Models", Thomas Rhodes et al, NIST Interagency Report 7608

The `SECURITY.md` file should contain an assurance that includes: - a description of the threat model, - clear identification of trust boundaries, - an argument that secure design principles have been applied, - and an argument that common implementation security weaknesses have been countered. See also: [_"Software Assurance Using Structured Assurance Case Models"_, Thomas Rhodes et al, NIST Interagency Report 7608](https://www.nist.gov/publications/software-assurance-using-structured-assurance-case-models)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
xep-0420
main
openfire_tests
dial_testing
bump_deps
137_bob
cb_tls13
styling_dedup
ci_mcabber
fix_mcabber
goupdate
genxml
forward_unwrap_tests
fields
fixed
xtime_ejabberd_integration
stream_config
moved2
118_default_serve
126_verify_valid_tokens
integration_test_fixes
s2s_package
profanity_integration_tests
fix_state_mutex_race
context_deadline
sasl_test_package
integration_design
marshal_tokenreader
session_decoder
namespace_fixes
stanza_mux
textutil
codec
experiment_allocs
xep0004_data_forms
xep0199_ping
v0.21.4
v0.21.3
v0.21.2
v0.21.1
v0.21.0
v0.20.0
v0.19.0
v0.18.0
v0.17.1
v0.17.0
v0.16.0
v0.15.0
v0.14.0
v0.13.0
v0.12.0
v0.11.1
v0.11.0
v0.10.0
v0.9.0
v0.8.0
v0.7.2
v0.7.1
v0.7.0
v0.6.0
v0.5.0
v0.4.0
v0.3.0
v0.2.0
v0.1.0
v0.0.1
Labels
Clear labels   
bug

Something isn't working   
CI

Changes relating to builds and CI   
documentation

Requires non-code documentation changes   
duplicate

This issue or pull request already exists   
enhancement

New feature or request   
good first issue

Good for newcomers   
help wanted

Extra attention is needed   
i18n

Internationalization concerns   
invalid

This doesn't seem right   
needs-investigation

This issue needs to be investigated before being further classified or rejected.   
ops

Issue related to operations (but not operational security)   
proposal

A proposal for a new feature or large change   
proposal-accepted

Status for proposals that will be implemented.   
proposal-declined

Status of proposals that will not be implemented.   
question

Further information is requested   
refactor

Any issue meant to track a refactor of code   
security

Any issue with an impact on security including vulnerabilities   
testing

Changes related to testing such as new tests or harnesses   
upstream

A tracking issue for a problem with an upstream project   
wontfix

This will not be worked on
  
Kind: Breaking
   
Kind: Bug
   
Kind: Documentation
   
Kind: Enhancement
   
Kind: Feature
   
Kind: Maintenance
   
Kind: Question
   
Kind: Security
   
Kind: Testing
   
Priority: Critical

The priority is critical   
Priority: High

The priority is high   
Priority: Low

The priority is low   
Priority: Medium

The priority is medium   
Reviewed: Confirmed

Something has been confirmed   
Reviewed: Duplicate

Something exists already   
Reviewed: Invalid

Something was marked as invalid   
Status: Blocked
   
Status: Completed

Work is complete   
Status: Help wanted
   
Status: In progress

Work is in progress   
Status: Needs feedback

Feedback is needed   
Status: Stale
No Label
bug
CI
documentation
duplicate
enhancement
good first issue
help wanted
i18n
invalid
needs-investigation
ops
proposal
proposal-accepted
proposal-declined
question
refactor
security
testing
upstream
wontfix
Kind: Breaking
Kind: Bug
Kind: Documentation
Kind: Enhancement
Kind: Feature
Kind: Maintenance
Kind: Question
Kind: Security
Kind: Testing
Priority: Critical
Priority: High
Priority: Low
Priority: Medium
Reviewed: Confirmed
Reviewed: Duplicate
Reviewed: Invalid
Status: Blocked
Status: Completed
Status: Help wanted
Status: In progress
Status: Needs feedback
Status: Stale
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: mellium/xmpp#294
There is no content yet.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may exist for a short time before cleaning up, in most cases it CANNOT be undone. Continue?