Update Security Management process #542
Conversation
sunildevda
requested review from
PandaeDo,
aschemmel-tech,
masc2023 and
pahmann
as code owners
|
The created documentation from the pull request is available at: docu-html |
pahmann
left a comment
pahmann
left a comment
There was a problem hiding this comment.
Initial review finding. More findings may come in following review
| .. | ||
| # ******************************************************************************* | ||
| # Copyright (c) 2025 Contributors to the Eclipse Foundation | ||
| # Copyright (c) 2026 Contributors to the Eclipse Foundation |
There was a problem hiding this comment.
You have a mixture of 2025 and 2026 for the copyright.
New files Copyright 2026
Existing files: Keep 2025.
Kindly browse through your changes and keep it consistent.
In case a file moves the place or get renamed it keeps the existing copyright.
There was a problem hiding this comment.
Copyright reverted back to 2025 for all files.
PandaeDo
left a comment
PandaeDo
left a comment
There was a problem hiding this comment.
Please fix build errors
There was a problem hiding this comment.
This is really hard to understand. It might be easier to understand if you create smaller sentences.
There was a problem hiding this comment.
have modified it. please check if this is ok and reasonable.
process/folder_templates/platform/security_analysis/platform_security_manual.rst
Outdated
Show resolved
Hide resolved
process/folder_templates/platform/security_analysis/platform_security_manual.rst
Outdated
Show resolved
Hide resolved
process/folder_templates/platform/security_analysis/platform_security_manual.rst
Outdated
Show resolved
Hide resolved
process/folder_templates/platform/security_analysis/platform_security_package_fdr.rst
Outdated
Show resolved
Hide resolved
| General Workflow | ||
| **************** | ||
| Some workflows/activities have to be done once (or when there is a significant change in project scope) and some have to be executed continuously. | ||
| Some workflows have to be done centrally once in the project and some for each modules / sub teams. |
There was a problem hiding this comment.
Also this sentence will not have a benefit for the user. You might change it in the direction that the user is guided for the doing.
There was a problem hiding this comment.
have rephrased and used the similar ones as mentioned in safety
| * Creates and monitors the completeness of the security package | ||
| * Creates and maintains the Security Manual | ||
| * Supports creation and maintaining of the SBOM | ||
| * Creates and maintains following Security artifcats at platform level: Platform Security Plan, Platform Security package, Platform Security Manual, Platform SBOM |
There was a problem hiding this comment.
Please check against https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workflow.html. You can use the table at the end of the page. Also it might be a idea to link to here. This would be easier to maintain
There was a problem hiding this comment.
But if we do that, we should do it also for Safety Manager to be consistent, or not?
There was a problem hiding this comment.
@PandaeDo i checked against https://eclipse-score.github.io/process_description/main/process_areas/security_management/security_management_workflow.html and points are mentioned in the responsibility. some are mentioned in later sentences like audit, reviews, training, and so on.
Regarding table, i am not sure if its really needed. its only a single list.
@masc2023 doing changes in safety will need one more approval from safety colleagues. in this PR i have tried to to minimal changes in safety. if these points are agreed here, we can collect all such minor points and check with safety team if they are ok and if yes plan it via a separate task. (if this is the only point then i can also do the changes in this PR but would need to check with safety if they are ok with such changes).
| * Creates and maintains the Security Manual | ||
| * Supports creation and maintaining of the SBOM | ||
| * Creates and maintains following Security artifcats at platform level: Platform Security Plan, Platform Security package, Platform Security Manual, Platform SBOM | ||
| * Approves following Security artifcats at module: Module Security Plan, Module Security package, Module Security Manual, Module SBOM |
There was a problem hiding this comment.
explained in previous point
|
|
||
| Responsibility | ||
|
|
||
| * Performing and reporting of secrity audit |
There was a problem hiding this comment.
| * Performing and reporting of secrity audit | |
| * Performing and reporting of security audit |
process/roles/index.rst
Outdated
| * High-level project control and coordination between multiple software modules | ||
| * Escalation instance | ||
| * Planning and Approval the releases of the <Project> | ||
| * Approves security related artifcats likes security audit, security plan, security package including status reporting of security activities |
There was a problem hiding this comment.
There was a problem hiding this comment.
checked and added all other topics where "approved by: rl__project_lead" is mentioned.
|
|
||
| Security Manual Template | ||
| ========================= | ||
| Module Security Manual |
There was a problem hiding this comment.
Please remove Module, otherwise it is not consistent with Safety, which is just called Safety Manual in the folder structure or we need to be consistent for all documents, Safety and Security have same either using Module or not. I see also for Safety, sometimes used, sometimes not.
There was a problem hiding this comment.
We can rework this for all the templates. I would propose to remove all "Feature, Module, Component" in the document template names because it is obvious from the folder these are in. I would keep/add for all platform level ones as there will not be a dedicated folder for this. I would suggest to create a seperate ticket for this alignment.
There was a problem hiding this comment.
Ticket created here, #549, @aschemmel-tech are you able to join Security Team Meeting on Friday, 11-12 to discuss or shall we align a separate meeting for that?
There was a problem hiding this comment.
Propose at least for the Module folder, to remove all "Module" in the tree.
Propose to add Platform in the tree, beside Stakeholder Requirements
Propose for the Feature Folder to remove "Feature" in the three.
Propose for the Component Folder to remove "Component" in the three.
There was a problem hiding this comment.
As discussed, have removed module name. Let me know if anything is still missing.
| * Refusing the approval of work products as defined in the workflows | ||
| * Refusing the approval of his team's role nomination (i.e. requesting that the role will be withdrawn) | ||
|
|
||
| .. role:: Security External Auditor |
There was a problem hiding this comment.
Now we have two external Auditor, a general one in Safety Management and one for security, either one generic, covering both otherwise should rename in Safety to Safety External Auditor
There was a problem hiding this comment.
the skills needed for auditing are different. For safety it is mentioned that the external auditor needs experience in safety or is a safety manager. we cant reuse the same for security, so i created a similar one. it can happen that one person has both the skills (security and safety know how) and performs the audit. but felt its better to describe the expectation clearly.
also, copied the idea from safety where they clearly define what is the expected qualification and role of an auditor for safety and changed to security here.
There was a problem hiding this comment.
Option 1, add skills to other Role and put it to Overall Roles or keep it and change External Auditor in Safety to Safety External Auditor
| * Creates and monitors the completeness of the security package | ||
| * Creates and maintains the Security Manual | ||
| * Supports creation and maintaining of the SBOM | ||
| * Creates and maintains following Security artifcats at platform level: Platform Security Plan, Platform Security package, Platform Security Manual, Platform SBOM |
There was a problem hiding this comment.
But if we do that, we should do it also for Safety Manager to be consistent, or not?
| * Make familiar with your role description and the other workflows of security management (see :doc:`security_management_roles` or :doc:`security_management_workflow`) | ||
| * Make familiar with the concept :need:`doc_concept__security_management_process` and the :need:`wp__platform_security_plan` | ||
| * Make familiar with the development and supporting process descriptions in :ref:`process_description`, especially with the :need:`wp__platform_mgmt` | ||
| This document and sub chapters describes the steps needed to be done to ensure compliance to Security according to ISO SAE 21434 (secrity standard used in the project). |
There was a problem hiding this comment.
Compare Safety Management GetStr, propose to follow that, much easier and simpler
process/process_areas/security_management/security_management_getstrt.rst
Show resolved
Hide resolved
| * Monitor/Verify Security | ||
|
|
||
| Some of the workflows are currently either tailored out or not in scope of this project (due to Out-of-Context development). | ||
| Refer :need:`wp__tailoring_work_products` section for the details about tailoring. |
There was a problem hiding this comment.
Workflows and work products are different topics. Workflows tailored now, but we should revise this decision and plan for an Audit, Needs discussion
There was a problem hiding this comment.
Compare Safety Getting Started, you may add same statement for open issues, etc.
There was a problem hiding this comment.
I thought it would be a good hint to also give to users that not everything as per standard is in scope and somethings are tailored out. thought this is useful to know during the getting started itself.
if its ok i will keep it and replace workflow with workproducts.
process/process_areas/security_management/security_management_concept.rst
Show resolved
Hide resolved
| - Link to checklist | ||
| * - SecMP_00_01 | ||
| - :need:`gd_chklst__security_plan` | ||
| - :need:`gd_chklst__module_security_plan` |
There was a problem hiding this comment.
No, Safety is also only for Module, the naming is misleading, in Safety we have no products on Platform level, see my other comments, platform to be deleted
| # ******************************************************************************* | ||
|
|
||
|
|
||
| Platform Security Plan Formal Review Report |
There was a problem hiding this comment.
no platform for safety, remove
There was a problem hiding this comment.
- could not comment for previous point so entering it here. have replaced gd_chklst__module_security_plan to gd_chklst__security_plan
- sorry to repeat, but once again even if we reuse the template for platform, how will we get to know that we need to have a review checklist also at platform level?
process/folder_templates/platform/security_planning/platform_security_plan.rst
Outdated
Show resolved
Hide resolved
| # ******************************************************************************* | ||
|
|
||
|
|
||
| Platform Security Package Checklist |
There was a problem hiding this comment.
noting on platform for safety, remove
There was a problem hiding this comment.
as discussed, corrected safety to include platform.
| # SPDX-License-Identifier: Apache-2.0 | ||
| # ******************************************************************************* | ||
|
|
||
| Platform Security Manual |
There was a problem hiding this comment.
nothing on platform, remove
There was a problem hiding this comment.
where do we write assumption of use at platform level?
aschemmel-tech
left a comment
aschemmel-tech
left a comment
There was a problem hiding this comment.
See inline answers to existing comments
| Security Package Formal Review Checklist | ||
| ======================================== | ||
|
|
||
| .. gd_chklst:: Platform Security Package Formal Review Checklist |
There was a problem hiding this comment.
Also in other process areas (architecture, requirements) we did not create separate checklist guidances (gd_chklst_...) for all the different levels as these have the same content. Just the document templates stored for direct usage in the folder template section are "level specific".
process/process_areas/security_management/guidance/checklist_security_plan.rst
Show resolved
Hide resolved
|
@pahmann , @masc2023 , @PandaeDo , @aschemmel-tech I have fixed the findings. there are some open points. could you please check and provide your feedback for the new changes? |
5 participants
Changes as mentioned in #451