"The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary." – – Best Practices Badging Criteria [security-review G]
| NOTE: THIS PAGE IS UNDER CONSTRUCTION BY SECCOM |
|---|
...
For each one, additional information on the question is available to be read by clicking the arrow following the question.
Once the security review is done and scored, the application owner
| Table of Contents |
|---|
Security Knowledge
...
| Your Answers-Please Explain | Score |
|---|---|
Implement Secure Design
Do the committers and PTL apply secure design principles when reviewing software for merging?
...
| Your Answer-Please Explain | Score |
|---|---|
Know Common Errors
Do the committers and PTL understand commonly found errors (and how to counter or mitigate them)? Do they apply these principles when reviewing software for merging?
...
| Your Answers-Please Explain | Score |
|---|---|
No Leaked Credentials
Do the committers and PTL verify that there are no non-test credentials and no non-test private keys in code to be merged?
...
| Your Answer-Please Explain | Score |
|---|---|
Security Documentation
Documentation Architecture
...
| Your Answer-Please Describe | Score |
|---|---|
Documentation Security
Does your project have a description of what a user of your project can and cannot expect in terms of security from the software produced by the project, (In other words, what are its 'security requirements'?)
...
| Your Answer-Please Describe | Score |
|---|---|
Assurance Case
Does your project actually meet its documented security requirements?
...
| Your Answer-Please Describe | Score |
|---|---|
Vulnerability Mitigation
Vulnerabilities Critical Fixed
...
| Your Answer-Please Explain | Score |
|---|---|
Vulnerabilities Fixed 60 Days
...
| Your Answer-Please Explain | Score |
|---|---|
Non-Cryptographic Software Questions
...
| Your Answer-Please Explain | Score |
|---|---|
Hardening
Does your project apply hardening mechanisms so that software defects are less likely to result in security vulnerabilities?
...
| Your Answer-Please Explain | Score |
|---|---|
Cryptographic-specific Software Questions
...
| Your Answer-Please Explain | Score |
|---|---|
Crypto Random - Generic
Does your software use random information? If so, does it use a cryptographically secure random number generator?
...
| Your Answers-Please Explain | Score |
|---|---|
Crypto Weaknesses
Does your software depend on any cryptographic algorithms or modes that have known serious weaknesses?
...
| Your Answer-Please Explain | Score |
|---|---|
Crypto Working
Does your software depend on any cryptographic algorithms that are known to be broken?
...
| Your Answer-Please Explain | Score |
|---|---|
Crypto Keylength
Does your software generate any keys? If so, do they use any default key-lengths that are considered insecure?
...
| Your Answers-Please Explain | Score |
|---|---|
Crypto Algorithm Agility
Does your software use cryptographic algorithms? If so, can a user of ONAP switch the algorithm if one is found to be broken?
...
| Your Answers-Please Explain | Score |
|---|---|
Crypto Certificate Verification
...
| Your Answers-Please Explain | Score |
|---|---|
Crypto Credential Agility
...
| Your Answers-Please Explain | Score |
|---|---|
Crypto TLS1.2
Does your software support HTTPS? If so, is the minimum version allowed TLS1.2?
...
| Your Answers-Please Explain | Score |
|---|---|
Crypto Used Network
Does your software have network communications inbound or outbound? If so, do you support secure protocols for all such network communications?
...
| Your Answers-Please Explain | Score |
|---|---|
Crypto Verification Private
...
| Your Answers-Please Explain | Score |
|---|---|