-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update controls per CNSWPv2 updates #21
Conversation
192,SSCP v1.0,Securing the Source Code,Use SSH keys to provide developers access to source code repositories,,AC-1 REMOTE ACCESS,Moderate to High,Moderate to High | ||
193,SSCP v1.0,Securing the Source Code,Have a key rotation policy,"It is recommended to implement a key rotation policy to ensure that compromised keys will cease to be usable after a certain period of time. When a private key is known to have been compromised, it should be revoked and replaced immediately to shut off access for any unauthorized user. Organizations may also consider using short lived certificates or keys, which reduces the reliance on certificate revocation systems.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High | ||
194,SSCP v1.0,Securing the Source Code,Use short-lived/ephemeral credentials for machine/service access,"Short-life credential issuance encourages the use of fine grained permissions and automation in provisioning access tokens. For CI/CD pipeline agents, short-lived access tokens should be considered instead of password-based credentials. The use of very short-lived tokens like OAuth 2.0, OpenID Connect, etc., will help to implement more secure access and increase the security assurance.",AC-2(1) ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT MANAGEMENT,Moderate to High,Moderate to High | ||
195,CNSWP v1.0,Develop,Implement secure configuration as the default state of the system,Transitioning towards such a system involves making security a design requirement, inheriting default security configuration and supporting an exception process,SA-8(23) SECURITY AND PRIVACY ENGINEERING PRINCIPLES | SECURE DEFAULTS,N/A,N/A |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this, and the next 3, be CNSWP v2.0?
Is it a fair summary to say that there are only 3 additional controls in the CNSWP v2 vs v1? Meaning that CNSWP v2 is a true superset of v1 |
@pratiklotia please rebase on main |
@pratiklotia when you get a chance can you please give this PR some love? Thanks! |
Background
I created a new doc v1.1 to include the updates from CNSWPv2. I also added a changelog to indicate what has been added compared to v1.
Note to Reviewers
(1) For now, any new controls have been added at the end of the doc. While adding them in the respective locations would be recommended, I'm concerned that it leads to 'ID' being updated for all other controls and that would be difficult to keep a track/update dependent frameworks
(2) CNSWPv2 recommends several SSCP best practices as well as GitOps best practices which are already covered in SSCP controls. (check (3) & (4) in the changelog file). Do we think we should add each control separately again as a part of CNSWP or since it is covered in SSDP, it is fine?