0c98f959f3
I just ran aspell and saw there were few misspelling, this patch fixes them. Change-Id: I665ef0f376b38f3c88ef82eadfde8eef7a1eeccb
34 lines
1.4 KiB
ReStructuredText
34 lines
1.4 KiB
ReStructuredText
====================
|
|
Threat Analysis Todo
|
|
====================
|
|
|
|
Needed
|
|
~~~~~~
|
|
|
|
|
|
#. page saying what TAs have been done, and haven't.
|
|
#. Etherpad template for review tracking
|
|
#. process
|
|
#. Improve documentation around context for OpenStack deployments, namely that
|
|
they reflect best practice, and the documentation should explain what to do
|
|
when things can be changed.
|
|
#. Add information on filling in interfaces table from diagram.
|
|
#. Remove U-C, O-C, I-C guidance
|
|
#. Add guidance that explains the importance of paying special attention to
|
|
interfaces that cross trust boundaries
|
|
#. Reviewer to build sequence diagrams in real time during the review
|
|
#. Document how we assess a third party review to be in line with our key
|
|
security assertions. I think perhaps we need a mapping table or something.
|
|
#. Should we prioritise assets.
|
|
#. Data assets should be listed in the architecture page before the review.
|
|
#. Figure out how to protect etherpad contents while retaining ability to share
|
|
and collaboratively edit it.
|
|
#. Add 'review CIA for data assets to process'
|
|
#. change 'review CIA for each interface' to ' 'review CIA for each interface
|
|
that crosses a security domain or each interface that doesn't use TLS'
|
|
#. Best practice for each type of asset connection
|
|
#. Document what a trust boundary is
|
|
#. Document what an asset is. Config file? elements within a config file?
|
|
#. Document what level of detail we want for external dependencies and give
|
|
examples.
|