docs: extend security explanation page to cover SEC0030 V1.3 gaps#2571
Open
tonyandrewmeyer wants to merge 3 commits into
Open
docs: extend security explanation page to cover SEC0030 V1.3 gaps#2571tonyandrewmeyer wants to merge 3 commits into
tonyandrewmeyer wants to merge 3 commits into
Conversation
…3 gaps Extend docs/explanation/security.md to close the SEC0030 V1.3 gaps recorded in the operator gap analysis. This is an extension only; existing sections are unchanged except for the noted Cryptography and Security-lifecycle additions. Added sections: - Product architecture: trust boundaries (Juju, ops, charm code) and what ops controls versus delegates, referencing the existing Inter-process communication and Charm unit databases sections. - Secure by Design: design rationale for the minimal security surface (no network listeners, crypto delegated to Juju and the stdlib, bounded persistence). - Logging and monitoring: charm logging via juju-log through the Python stdlib logging module, with a forward reference to SEC0045 security-event logging. - Secure decommissioning: pip uninstall plus removal of the state and tracing databases, with a note on confirming secure deletion outside Juju's normal flow. Extended sections: - Cryptography D/E: name the actual crypto-providing packages (Python stdlib ssl via urllib.request) and add an explicit at-rest statement. - Security lifecycle: supported-version matrix mirroring SECURITY.md, PyPI update delivery, version-verification commands, and EOL stance.
- Align security lifecycle with SECURITY.md and the tool versions page by mentioning LTS support windows and linking to the versions matrix. - Update logging section to reflect that OWASP-vocabulary security events are already emitted, rather than promised. - Drop internal SSDLC audit references. - Rewrite secure decommissioning to reflect that ops is a library without its own lifecycle.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR extends docs/explanation/security.md to close the SEC0030 V1.3 gaps. This is an extension only; existing sections are unchanged except for the noted Cryptography and Security-lifecycle additions.
Added sections:
Extended sections: