Giter Site home page Giter Site logo

secure-development-and-deployment's People

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

junlapong johanditmar finpassbr kamal2222ahmed mattcollins howwerollingham daniel-ac-martin roryalsop toby-ncsc enixdark lcinquin raghavendar jmbmxer anillingutla hashware am-i-heisenberg ggialoukas webmago ik-security stuartsmiles01 vmayoral aliasrobotics louisnorthmore tubbz-alt fiantinangon uk-gov-mirror williamleggatt ousmaan codexpathcommunity tekpriest mcviswanadha hieunguyen0802 damilolaadegunwa weiplanet kodaininja msatul1305 begueradj ankitpatel2202 octopi-knowledge-base prasadekke lnaphade deyaa nathanawmk sharpboy2008 jucmoreno1 priyaranjans ab011we qishengc prouzzal velasco neixiiss rasamsh ninasree sc979 iyk-tech22 tmibrahim mylearning-gibbs100 felipevillagran ifeanyicyriacus

secure-development-and-deployment's Issues

Individuals peer reviewing their own code

I disagree that

individuals can also peer review their own code

If I am attempting to peer review my own code, then I have simply not finished writing and testing my code.

Coding in the open

5-protect-your-code-repository.md:
"Limit exposure & access to your repository
Technically enforce a model of least privilege for who can read and make changes to your code repository. Only permitted individuals should be able to view and make changes, and all activity should be attributable. For some use cases, it may be appropriate to 'code in the open', but consider the impacts first."

The paragraph above can be summarised into "code in private by default and open when appropriate". It is a radically different spirit than "code in open and close when appropriate" that has been recommended for years by GDS. See articles below.

As a consumer of these two clashing recommendations, I'm confused and it will make my stakeholders even more confused and choose the NCSC recommendation by default.

GDS - Coding in the open
https://gds.blog.gov.uk/2012/10/12/coding-in-the-open/

GDS - The benefits of coding in the open
https://gds.blog.gov.uk/2017/09/04/the-benefits-of-coding-in-the-open/

GDS - Coding in the open makes better code
https://gdstechnology.blog.gov.uk/2017/07/18/coding-in-the-open-makes-better-code/

MOJ Digital & Technology - Why we code in the open
https://mojdigital.blog.gov.uk/2017/02/21/why-we-code-in-the-open/

Sections 4 and 6 could be merged?

They are very similar, and to be honest developer machines are effectively a component in the development pipeline anyway (though they are more distributed).

Secure development

Is there an argument to expand [1] to include things like:

  • the use of threat modelling to identify risks and to align with the concept of continuous risk management.
  • getting devs to do security is better than asking security people to do development - so create networks of security champions.

Ability to react to compromise and/or vulnerability

While this guidance is explicitly targeted to teams practising continuous delivery, it might be worth noting (maybe in section 8), that you should be able to fix and deploy quickly.

There is no point identifying a problem quickly if it takes you 6 months to get a fix out to Prod.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.