intake process and prioritization

README.md

@@ -90,14 +90,43 @@ If you are new to the group, check out our [New Members Page](NEWMEMBERS.md) and
 * Sarah Allen ([@ultrasaurus](https://github.com/ultrasaurus)), [Chair - term: 6/3/2019 - 6/3/2021]
 * Jeyappragash JJ ([@pragashj](https://github.com/pragashj)), Tetrate.io [Chair - term: 6/3/2019 - 6/3/2021]
 
-### SIG Members
+### On-going projects
+
+#### Policy team
+
+Policy is an essential component of a secure system.
+
+[Bi-weekly meetings](https://docs.google.com/document/d/1ihFfEfgViKlUMbY2NKxaJzBkgHh-Phk5hqKTzK-NEEs/edit?usp=sharing) at 4:00pm PT
+focus on policy concerns and initiatives.
+
+Co-leads
+
+  * Howard Huang ([@hannibalhuang](https://github.com/hannibalhuang)), Huawei [Kubernetes Policy WG co-chair]
+  * Erica von Buelow ([@ericavonb](https://github.com/ericavonb)), Red Hat [Kubernetes Policy WG]
+
+Co-chair representative: @pragashj
+
+
+#### Security assessments
+
+[Security assessments](./assessments) are a collaborative process for the
+benefit of cloud native projects and prospective users by creating a consistent
+overview of the project and its risk profile.
+
+Facilitator: Justin Cappos ([@JustinCappos](https://github.com/JustinCappos)),
+New York University
+
+Co-chair representative: @ultrasaurus
+
+
+
+### SIG members
 Membership governance can be viewed [here](https://github.com/cncf/sig-security/blob/master/governance/roles.md#role-of-members). If you are new, check out the [New Members Page](NEWMEMBERS.md).
 <details><summary>Click to view list</summary>
 
 * Devarajan P Ramaswamy ([@deva](https://github.com/deva26)), PADME
 * Kamil Pawlowski ([@kbpawlowski](https://github.com/kbpawlowski))
 * Geri Jennings ([@izgeri](https://github.com/izgeri)), CyberArk
-* Howard Huang ([@hannibalhuang](https://github.com/hannibalhuang)), Huawei [Kubernetes Policy WG co-chair]
 * Jason Melo ([@jasonmelo](https://github.com/jasonmelo)), NearForm
 * Torin Sandall ([@tsandall](https://github.com/tsandall)), OPA
 * Sree Tummidi ([@sreetummidi](https://github.com/sreetummidi)), Pivotal [Cloud Foundry Project Lead]
@@ -109,7 +138,6 @@ Membership governance can be viewed [here](https://github.com/cncf/sig-security/
 * Liz Rice ([@lizrice](https://github.com/lizrice)), Aqua Security
 * Erik St. Martin ([@erikstmartin](https://github.com/erikstmartin)), Microsoft
 * Cheney Hester ([@quiqie](https://github.com/quiqie)), Fifth Third Bank
-* Erica von Buelow ([@ericavonb](https://github.com/ericavonb)), Red Hat [Kubernetes Policy WG]
 * Mark Underwood ([@knowlengr](https://github.com/knowlengr))
 * Rae Wang ([@rae42](https://github.com/rae42)), Google
 * Rachel Myers ([@rachelmyers](https://github.com/rachelmyers)), Google
@@ -125,7 +153,6 @@ Membership governance can be viewed [here](https://github.com/cncf/sig-security/
 * Alban Crequy ([@alban](https://github.com/alban)), Kinvolk
 * Michael Schubert ([@schu](https://github.com/schu)), Kinvolk
 * Andrei Manea ([@andrei_821](https://github.com/andrei821)), CloudHero
-* Justin Cappos ([@JustinCappos](https://github.com/JustinCappos)), New York University [Security Assessment Facilitator]
 * Santiago Torres-Arias ([@SantiagoTorres](https://github.com/SantiagoTorres)), New York University
 * Brandon Lum ([@lumjjb](https://github.com/lumjjb)), IBM
 * Ash Narkar ([@ashutosh-narkar](https://github.com/ashutosh-narkar)), OPA

assessments/README.md

@@ -2,43 +2,77 @@
 
 ## Goals
 
-The [security assessment process](guide) is designed to accelerate the adoption of cloud native technologies, based on the following goals and assumptions:
+The [security assessment process](guide) is designed to accelerate the adoption
+of cloud native technologies, based on the following goals and assumptions:
 
 ### 1) Reduce risk across the ecosystem
 
-The primary goal is to reduce the risk from malicious attacks and accidental breaches of privacy. This process supports that goal in two ways:
+The primary goal is to reduce the risk from malicious attacks and accidental
+breaches of privacy. This process supports that goal in two ways:
 
-   * Clear and consistent process for communication increases detection & reduces time to resolve known or suspected vulnerability issues
-   * A collaborative evaluation process increases domain expertise within each participating project.
+   * Clear and consistent process for communication increases detection &
+     reduces time to resolve known or suspected vulnerability issues
+   * A collaborative evaluation process increases domain expertise within each
+     participating project.
 
 ### 2) Accelerate adoption of cloud native technologies
 
-Security reviews are a necessary, time intensive process. Each company, organization and project must perform its own reviews to ensure that it meets its unique commitments to its own users and stakeholders.
-In open source, simply finding security-related information can be overwhelmingly difficult and a time consuming part of the security review. The CNCF security assessment, hereafter "security assessment," process is intended to enable improved discovery of security information & assist in streamlining internal and external security reviews in multiple ways:
+Security reviews are a necessary, time intensive process. Each company,
+organization and project must perform its own reviews to ensure that it meets
+its unique commitments to its own users and stakeholders. In open source, simply
+finding security-related information can be overwhelmingly difficult and a time
+consuming part of the security review. The CNCF security assessment, hereafter
+"security assessment," process is intended to enable improved discovery of
+security information & assist in streamlining internal and external security
+reviews in multiple ways:
 
    * Consistent documentation reduces review time
    * Established baseline of security-relevant information reduces Q&A
-   * Clear rubric for security profile enables organizations to align their risk profile with the project’s risk profile and effectively allocate resources (for review and needed project contribution)
+   * Clear rubric for security profile enables organizations to align their risk
+     profile with the project’s risk profile and effectively allocate resources
+     (for review and needed project contribution)
    * Structured metadata allows for navigation, grouping and cross-linking
 
-We expect that this process will raise awareness of how specific open source projects affect the security of a cloud native system; however, separate activities may be needed to achieve that purpose using materials generated by the assessements.
+We expect that this process will raise awareness of how specific open source
+projects affect the security of a cloud native system; however, separate
+activities may be needed to achieve that purpose using materials generated by
+the assessements.
 
 ## Outcome
 
 Each project's security assessment shall include a description of:
 1. the project's design goals with respect to security
 2. any aspects of design and configuration that could introduce risk
-3. known limitations, such as expectations or assumptions that aspects of security, whole or in part, are to be handled by upstream or downstream dependencies or complementary software
-4. next steps toward increasing security of the project itself and/or increasing the applications of the project toward a more secure cloud native ecosystem
-
-Due to the nature and timeframe for the analysis, *this review is not meant to subsume the need for a professional security audit of the code*.  Audits of implementation-specific vulnerabilities, improper deployment configuration, etc. are not in scope of a security assessment.  A security assessmet is intended to uncover design and configuration flaws and to obtain a clear, comprehensive articulation of the project's design goals and aspirations while documenting the intended security properties enforced, fulfilled, or executed by said project.
+3. known limitations, such as expectations or assumptions that aspects of
+   security, whole or in part, are to be handled by upstream or downstream
+   dependencies or complementary software
+4. next steps toward increasing security of the project itself and/or increasing
+   the applications of the project toward a more secure cloud native ecosystem
+
+Due to the nature and timeframe for the analysis, *this review is not meant to
+subsume the need for a professional security audit of the code*.  Audits of
+implementation-specific vulnerabilities, improper deployment configuration, etc.
+are not in scope of a security assessment.  A security assessmet is intended to
+uncover design and configuration flaws and to obtain a clear, comprehensive
+articulation of the project's design goals and aspirations while documenting the
+intended security properties enforced, fulfilled, or executed by said project.
 
 Finalized assessments may be used by the community to assist in contextual evaluation of a  project but are not an endorsement of the security of the project, not a security audit of the project, and do not relieve an individual or organization from performing due diligence and complying with laws, regulations, and policies.
 
 Draft assessments contain *unconfirmed* content and are not endorsed as factual until committed to this repository, which requires detailed peer review.  Draft assessments may also contain *speculative* content as the project lead or security reviewer is performing an evaluation.  Draft assessments are *only* for the purpose of preparing final assessment and are **not** to be used in any other capacity by the community.
 
 ## Process
 
-The security assessment is a collaborative process for the benefit of the project and the community, where the primary content is generated by the [project lead](guide/project-lead.md) and revised based on feedback from [security reviewers](guide/security-reviewer.md) and other members of the SIG.
+The security assessment is a collaborative process for the benefit of the
+project and the community, where the primary content is generated by the
+[project lead](guide/project-lead.md) and revised based on feedback from
+[security reviewers](guide/security-reviewer.md) and other members of the SIG.
+
+
+* If you interested in a security assessment for your project and you are
+  willing to volunteer as [project lead](guide/project-lead.md) or you are a
+  SIG-Security member and want to recommend a project to review, please [file an
+  issue](https://github.com/cncf/sig-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name)
 
-See [security assessment guide](guide) for more details.
+See [security assessment guide](guide) for more details.  To understand how we
+prioritize reviews, see [intake process](./intake-process.md).

assessments/intake-process.md

@@ -0,0 +1,74 @@
+# Security Assessment Priorities & Pipeline Intake Process
+
+SIG-Security has a volunteer team of subject matter experts and industry
+professionals dedicated to helping SIG-Security members, the TOC, and the larger
+CNCF community maintain an understanding of the current state of security in the
+cloud native ecosystem and helping cloud native projects succeed.
+
+The following process describes how projects are prioritized for security
+assessments.
+
+# Authority
+
+Team members are welcome to submit PRs to streamline process when priorities
+are clear based on the criteria below. As needed, specific leaders (identified
+in the [repo root README](/README.md@#security-assessments) will coordinate
+the decision-making process.
+
+* The [Security Assessment
+  Facilitator](/governance/roles.md#security-assessment-facilitator) is
+  responsible for maintaining the assessment queue and may delegate
+  responsibilities to specific individuals by defining and filling documented
+  roles and/or inviting community participation.
+* A named chair provides oversight for the Security Assessment initiative,
+  responsible for liaising with the TOC: aligning prioritization with TOC needs
+  and goals by finding opportunities to highlight work of Security Assessment
+  team, resolving questions/concerns about prioritization, and serving as an
+  escalation point for projects or SIG members, if needed.
+
+# Pre-conditions
+
+* The project is either a CNCF project OR an assertion that the project is cloud
+  native (any objection must be resolved before an assessment would be
+  considered)
+* The project has identified a project lead and has a written self-assessment
+
+# Intake priorities
+
+1. TOC requests SIG-Security review a specific project or adjust priorities.
+    * TOC request will not interrupt an ongoing assessment.
+    * TOC requests may jump the prioritized queue of projects waiting for an assessment.
+2. Projects that have received a CNCF Security Audit will be reviewed within a
+   year of audit. (For future audits, the security assessment will be a
+   pre-condition to the audit.)
+3. CNCF Projects that request a review (or invited by SIG members), prioritized
+   by project maturity (e.g. graduated projects will be highest priority, then
+   incubated projects, then sandbox).
+4. Non-CNCF Projects that request a review (or invited by SIG members).
+
+# Updates and renewal
+
+The Security Assessment team will aim to review assessed projects annually,
+focusing primarily on any issues or concerns raised in previous assessments,
+addressing new functionality that affects risk profile of the project,
+and any issue that may have been flagged about the project.
+
+# Managing the assessment queue
+
+Note: this section describes the current process. Anyone is welcome to open a
+github issue or submit a pull request suggesting process improvements
+or clarifying the documentation. Security Assessment Facilitator or any chair
+may take on any of the roles below, updating the queue, as long as the change
+is clearly communicated to the group (typically by adding a note to the
+relevant github issue).
+
+Each assessment is represented as a github issue, where the description field
+follows a [template](/.github/ISSUE_TEMPLATE/security-assessment.md)
+
+The queue is visible through [github project](https://github.com/cncf/sig-security/projects/2)
+
+* Anyone may propose a project for assessment, by opening an [issue](https://github.com/cncf/sig-security/issues/new?assignees=&labels=assessment&template=security-assessment.md&title=%5BAssessment%5D+Project+Name)
+* Security Assessment Facilitator or their delegate may:
+  * move the order of an assessment in the backlog
+  * close an issue (with an explanation) to remove a project from the queue.
+  * move a project from backlog to in-progress