What Does it Mean to Get Gold in CII Badging?

Slides:



Advertisements
Similar presentations
OWASP Secure Coding Practices Quick Reference Guide
Advertisements

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Software Quality Assurance Plan
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
Practice Test Tour | The Simulation Item Type Getting Started - Microsoft Simulations Item Type Selecting the Item Type in Learn Mode Walk through a Simulation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © 2006 Software Quality Research Laboratory DANSE Software Quality Assurance Tom Swain Software Quality Research Laboratory University of Tennessee.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Chapter 11: Testing The dynamic verification of the behavior of a program on a finite set of test cases, suitable selected from the usually infinite execution.
Software Testing & Strategies
University of Palestine software engineering department Testing of Software Systems Fundamentals of testing instructor: Tasneem Darwish.
1 FIPS 140 Validation for a “System-on-a-Chip” September 27, 2005 NIST Physical Testing Workshop.
Framework for Automated Builds Natalia Ratnikova CHEP’03.
Test Organization and Management
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Confidential. For Channel Partners only. Do not distribute. C
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Certification and Accreditation CS Syllabus Ms Jocelyne Farah Mr Clinton Campbell.
U.S. Department of Agriculture eGovernment Program July 9, 2003 eAuthentication Initiative Update for the eGovernment Working Group eGovernment Program.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Developed by Reneta Barneva, SUNY Fredonia The Process.
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 Automate your way to.
Testing in Android. Methods Unit Testing Integration Testing System Testing Regression Testing Compatibility Testing Black Box (Functional) White Box.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
G.Govi CERN/IT-DB 1 September 26, 2003 POOL Integration, Testing and Release Procedure Integration  Packages structure  External dependencies  Configuration.
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
© 2016 LDRA Ltd The FACE Conformance Verification Matrix in Practice.
HNDIT23082 Lecture 09:Software Testing. Validations and Verification Validation and verification ( V & V ) is the name given to the checking and analysis.
SG SCM with MKS scmGalaxy Author: Rajesh Kumar
EMI INFSO-RI SA2: Quality Assurance Status Report Alberto Aimar(SA2) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
QA Process within OEM Services Ethan Chang QA Engineer OEM Service, Canonical
CII badging program for ONAP ONAP security committee Stephen Terrill
ONAP security meeting
Apache web server Quick overview.
Introducing CounterSign
CII Badging Program for CLAMP Xue Gao, Pierre Close, Anael Closson
SOFTWARE TESTING OVERVIEW
Cryptography and Network Security
ONAP security meeting
Authentication Applications
IEEE Std 1074: Standard for Software Lifecycle
Secure communication among services
Review of ONAP Carrier Grade Requirements
ONAP Security Sub-committee Update
Applied Software Implementation & Testing
CompTIA CAS-003 Exam Study Material - CompTIA CAS-003 Exam Dumps Realexamdumps.com
NAAS 2.0 Features and Enhancements
Leigh Grundhoefer Indiana University
Lecture 09:Software Testing
What’s changed in the Shibboleth 1.2 Origin
Getting Started.
Public Key Infrastructure from the Most Trusted Name in e-Security
Getting Started.
AppExchange Security Certification
Increase and Improve your PC management with Windows Intune
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
TPM, UEFI, Trusted Boot, Secure Boot
PSS0 Configuration Management,
Overview Activities from additional UP disciplines are needed to bring a system into being Implementation Testing Deployment Configuration and change management.
Instructor Materials Chapter 5: Ensuring Integrity
Scott Miller TSM Team Lead Ray Mah Architect, Foundation
ONAP Security Requirements ONAP Virtual F2F, December overall requirements - security by design Stephen Terrill, et al.
Presentation transcript:

What Does it Mean to Get Gold in CII Badging? SECCOM CII Badging What Does it Mean to Get Gold in CII Badging? (and Silver and Passing) SECCOM Tony Hansen 2019/9/27

What is CII Badging About? “The Linux Foundation (LF) Core Infrastructure Initiative (CII) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices.” bestpractices.coreinfrastructure.org “. . . following best practices can help improve the results of projects. For example, some practices enable multi-person review before release, which can both help find otherwise hard-to-find technical vulnerabilities and help build trust and a desire for repeated interaction among developers from different organizations.’’ github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md “Compare the cost of defense to the cost of failure” “Take the software equivalent of basic hygiene steps and combine approaches in a way that make a system harder to successfully attack” “Failing to implement basic measures for protection, detection and recovery in systems where it matters is just a form of negligence” “It is an easy way for an open source project to self-improve.” – Dr. David A. Wheeler How to Develop Secure Applications: The BadgeApp Example www.youtube.com/watch?v=5a5D4d6hcEY Creator of the BadgeApp application Author: Secure Programming: HOWTO dwheeler.com/secure-programs

Some Badge Earniers

Why are we doing this? Bottom line: We are using CII Badging to get ONAP projects to verify and/or improve the security and quality of their code and the project. Getting the silver star or gold star from the CII badge is truly secondary.

Answering a SHOULD question as YES counts at ALL LEVELS. Progressively Strict The three levels are Passing, Silver and Gold The questions use SHOULD and MUST to differentiate between Optional (at this level) and Requirements Questions will progress across levels: An item introduced in Passing as a SHOULD will become a MUST in Silver An item introduced in Silver as a SHOULD will become a MUST in Gold Answering a SHOULD question as YES counts at ALL LEVELS.

The CII Sections Passing Silver Gold Basics Change Control Reporting Quality Security Analysis

How is ONAP Doing on Badging Levels? Passing: 30 / 34 are 100% Passing Remaining 4 are >85% Passing Silver: 2 are 100% Silver – Wow 25 are >75% Silver – Super 4 are 30% to 45% 7 are < 30% Gold: 5 > 40% – Cool 8 are 20% to 40% 25 are < 20%

Multiple Categories of Concern I’ve categorized the different questions using these categories for separate domains of questions: The quality of the application itself The quality of the project overview The quality of the infrastructure used to build and support the application The people building the application FLOSS encouragement Passing Silver Gold Application Quality 26 24 9 Project Quality 22 8 Infrastructure Quality 10 2 4 People 3 FLOSS Encouragement Totals 66 55 23

Infrastructure Quality The Silver Criteria Project Quality code of conduct coding standards coding standards enforced contribution requirements developer cert. of origin documentation achievements documentation architecture documentation current documentation quick start documentation roadmap external dependencies governance installation common installation development quick installation standard variables maintenance or update report tracker signed releases test policy mandated tests documented added updateable reused comp’s version tags signed vulnerability report credit vulnerability resp process Application Quality accessibility best practices assurance case automated int. testing build non recursive build preserve debug build repeatable build standard variables crypto algorithm agility crypto cert. verification crypto credential agility crypto tls12 crypto used network crypto verification private crypto weaknesses dependency monitoring dynamic analysis unsafe hardening implement secure design input validation interfaces current internationalization regression tests added50 static analysis common vulnerabilities test statement cvrg 80 warnings strict People access continuity bus factor roles responsibilities Infrastructure Quality documentation security sites password security

Infrastructure Quality The Gold Criteria Application quality Two person reviews Crypto TLS12 Crypto Used Network Application Hardening Dynamic Analysis Tool Security Reviews 80% test branch coverage Test suite invocation standardized 90% statement test coverage Project Quality License per file Copyright per file Continuous Integration Reproducible Build Code Review Standards >=2 Unassociated Contributors per project People Bus Factor Small Tasks for new / casual contributors Infrastructure Quality Distributed Repo Tools Hardened Site 2FA for contributors

Resources https://bestpractices.coreinfrastructure.org CII Site https://bestpractices.coreinfrastructure.org EXTENSIVE DETAILS ON THE CII QUESTIONS https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/criteria.md https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/other.md Why these questions? https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/background.md ONAP Resources, including answers to many “questions with ONAP-wide answers”: https://wiki.onap.org/display/DW/CII+Badging+Program CII ONAP Portal http://tlhansen.us/onap/cii.html

Ref: http://tlhansen.us/onap/cii.html#silver Code of conduct Crypto certificate verification Crypto used network Ref: http://tlhansen.us/onap/cii.html#silver

Thank you That’s all Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.