Assessment: Security Functions & Features #16
Description
Like its title suggests, the “Security Functions and Features” section is used to describe anything built into your project that is designed to improve the security for users. You can organize this however you like, so long as you include the component name, the applicability, and the description of why it’s important. These entries will be helpful for threat modeling later.
Applicability is either “Critical” or “Security Relevant”. Critical elements are non-configurable design decisions intended to increase the security of the project. Security Relevant elements are parts of the project that can be configured by users to improve the security posture of an implementation.
Description of Importance is again what it sounds like, a sentence or two explaining why this feature is an important part of the project’s design and why it should be part of the threat model.
In the example below, our project does not support production usage, there isn’t a long list of security features already built in. Perhaps we’ll use this to help inform our security improvements on the roadmap!
## Security functions and features
| Component | Applicability | Description of Importance |
| --------- | ------------- | ------------------------- |
| Hashicorp Go-Plugin | Critical | The `Go-Plugin` component enables Privateer to segment Raids as fully independent processes that communicate with the core via RPC on a local network, thereby allowing plugins to operate side-by-side without opportunity for configuration collision or side-channeling. |
| YAML Configuration | Relevant | The YAML configuration handling enables Privateer to safely read user configuration and secrets across multiple Raid executions while encrypting or masking them when appropriate |