[Security Review] Hexa Policy Orchestration

[ggebel]

Project Name: Hexa Policy Orchestration

Github URL: https://github.com/hexa-org

CNCF project stage and issue (NA if not applicable): NA, pre-sandbox submission

Security Provider: yes/no (e.g. Is the primary function of the project to support the security of an integrating system?) Yes

• Identify team
  • Project security lead @ggebel
  • Lead security reviewer @JustinCappos
  • 1 or more additional reviewer(s)
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by 2 chairs on reviewer conflicts
• Create slack channel (e.g. #sec-assess-projectname)
• Project lead provides draft document - self assessment
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

[ggebel]

First draft of self assessment
Hexa self assessment.pdf

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[JustinCappos]

Thank you for sending this self assessment. Can you give a copy in Google Doc format so it is easy for us to comment on it?

Also, given the project is pre-sandbox, it may take a little time to get a team together from our side to assess this. Please feel free to ping us to ask about this if you do not hear back in a reasonable timeframe.

[ggebel]

Hi @JustinCappos, here you go: https://docs.google.com/document/d/1gHGIAqWfpNnu5b35F5qJgszJT4DUnUszsisIKTABU6c/edit?usp=sharing

[JustinCappos]

Okay, thanks!

@ggebel Will you act as the project security lead?

[ggebel]

Yes, @JustinCappos , I will act as security lead and bring in others as necessary

[JustinCappos]

Yes, @JustinCappos , I will act as security lead and bring in others as necessary

Okay, thanks. I added you above.

[stale]

This issue has been automatically marked as inactive because it has not had recent activity.

[JustinCappos]

I'm marking myself as lead reviewer. (I'm open to playing a different role if someone else wants to volunteer.)

I'll try to recruit other reviewers in the meeting this week. @ggebel , do you have cycles in the next month or so?

[ggebel]

Hi @JustinCappos - I should be able to make the call this week. Yes, I can make some time for discussions in the next month+. However, note that we are making some changes to the next version so I'm not sure if you want to wait for that work to complete or to get the first assessment completed sooner

[JustinCappos]

I think that waiting may be better. Just give us a heads up when the next version is out and the self assessment is being revised. I can get a team together then.

[eddie-knight]

Closing this for now