Schedule for Security Assessment #57
Replies: 3 comments 1 reply
-
|
As suggested by @SSIRKC, we can put availability time slots in the corresponding issue template. |
Beta Was this translation helpful? Give feedback.
-
|
I think if you want to do a security assessment, you have to proactively approach the development teams. The dev teams have so much to do that they won't request assessments on their own initiative. |
Beta Was this translation helpful? Give feedback.
-
|
I saw teams are requesting an assessment - that's good :) |
Beta Was this translation helpful? Give feedback.
-
|
schedule was added by @mm73628486283 |
Beta Was this translation helpful? Give feedback.
-
Problem description
As I've experienced so far, requests for security assessments always need scheduling efforts on both sides, projects and security team members. There is no common calendaring, so everyone involved in an assessment drops availability time slots in email threads until it works for everyone.
Suggestion Solution
Having a public schedule with predefined time slots for security assessments (similar to Office Hours).
Projects can prepare an appointment for their security assessment in advance due to fixed dates. In average case it may happen to hit an already blocked slot, then it's necessary to postpone to the next week. In worst case it needs individual agreement on a specific date. Security team can plan availability of team members for assessments.
What needs to be done for this:
-Set up an availability schedule (markdown in sig-security repo)
-Determine frequency (e.,g. two 1h slots per week)
-Update issue template for security assessment (request a scheduled slot: [day, calendar week])
-Advertise in DecSecOps Hour
What do you think about this approach?
What might be a well balanced frequency?
Notice: This approach doesn't make ad hoc requests obsolete, so we will still support with individual appointments if necessary.
Beta Was this translation helpful? Give feedback.
All reactions