"The project MUST have performed a security review within the last 5 years. This review MUST consider the security requirements and security boundary." – Best Practices Badging Criteria [security-review G]
...
| Your Answers-Please Explain | Score |
|---|---|
| Yes. Majority of DCAE committers and PTL are generally familiar with secure software development practice and experienced in vulnerability resolution. The CLM scan reports and OJSI tickets are periodically assessed by the same PTL/committers. |
Implement Secure Design
Do the committers and PTL apply secure design principles when reviewing software for merging?
...
| Your Answer-Please Describe | Score |
|---|---|
| Yes. Documented under this wiki DCAE Security Design & Assurance |
Assurance Case
Does your project actually meet its documented security requirements?
...
| Your Answer-Please Describe | Score |
|---|---|
| Yes. Documented under this wiki DCAE Security Design & Assurance |
Vulnerability Mitigation
Vulnerabilities Critical Fixed
...
| Your Answer-Please Explain | Score |
|---|---|
Majority of DCAE services are complaint. There are no C/C++ code in DCAE repositories hence compiler flags related questions do not apply. DL-Admin has a web (user) interface which is not complaint with all hardening requirements listed; it also stores external DB credentials (TBD if data is encryped/hashed when persisted in DB). |
...