Git Product home page Git Product logo

Comments (3)

mhdawson avatar mhdawson commented on August 17, 2024 2

In terms of the suggested expantions, the intention was to look at it from a top level model (separate from our existing threat model) which would include all ways that supply chain security might be compromised and what we have in place already to address those concernts.. I think this would include all of the different roles we have in terms of access as well as people with no access at all. The top level view should help us understand the relative risks and were it might be best to focus our energy. One way to start might be to build the list of

  • classes instractructure that are used in the project (test machines, jenkins machnines, release machines etc.)
  • what having access to those classes of infrastructure would let people do
  • Different roles that give people different levels of access to those components
  • The projections/approaches we already have in place to mitigate risks

EDIT: which in part I meant to say all those suggestions are good ideas to include in the scope.

from security-wg.

UlisesGascon avatar UlisesGascon commented on August 17, 2024 1

Yep, this is great! We can also extend the threat model a bit to explain how the roles in the organization can impact the final users in case of bad actors or human errors. It would be beneficial to document in simple terms all the measures we have in place to prevent this (as referenced here) and how the organization promotes individuals to those roles, etc.

I believe that from an external point of view, this might be an interesting topic to cover, especially when adopting Node.js, particularly in commercial companies.

from security-wg.

RafaelGSS avatar RafaelGSS commented on August 17, 2024 1

I would like to expand this discussion to a more sensitive role of Node.js organization: Releasers.

  • Is there a security concern about keeping inactive releaser keys in our machines?
  • Is the process of signing releases from a collaborator easily exploited?
  • Should we be more restrictive to the inactive limit for releasers? And what about security-triagge group?

cc/ @nodejs/releasers

from security-wg.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.