From b41ff3e6c023bc81d96b9835e4dd0d7249bbfb8c Mon Sep 17 00:00:00 2001 From: Adam Richie-Halford Date: Mon, 21 Oct 2024 05:35:43 -0700 Subject: [PATCH] Fix typo in GitHub vendor assessment --- vendor-assessments/tpvar-github.md | 2 +- vendor-assessments/tpvar-github.md.bak | 38 +++++++++++++++++++++++++ vendor-assessments/tpvar-github.pdf | Bin 132792 -> 132955 bytes 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 vendor-assessments/tpvar-github.md.bak diff --git a/vendor-assessments/tpvar-github.md b/vendor-assessments/tpvar-github.md index 5aaf63c..28d8cf1 100644 --- a/vendor-assessments/tpvar-github.md +++ b/vendor-assessments/tpvar-github.md @@ -29,7 +29,7 @@ It is important to note that GitHub's security compliance confers no security be 1. **Access Control** Access to GitHub is performed using two-factor authentication and is restricted to authorized personnel. 1. **Code Review** Code changes must be reviewed and approved in order to progress through the software development life cycle (SDLC) and deploy a version to production. 1. **Code Vulnerability Scanning**: Vulnerability scans for the source code are performed to identify security issues. High/critical issues are remediated in a timely manner. -1. **Automated Tests**: A successful test result is mandatory in order to continue with the SLDC and deploy a version to the production environment. +1. **Automated Tests**: A successful test result is mandatory in order to continue with the SDLC and deploy a version to the production environment. 1. **Test Failure**: In case test failures are detected, a notification is sent to relevant stakeholders. Any code change with a failed test cannot be deployed into production. 1. **Change Approval**: All code changes need to be approved/authorized, prior to being deployed into production. diff --git a/vendor-assessments/tpvar-github.md.bak b/vendor-assessments/tpvar-github.md.bak new file mode 100644 index 0000000..5aaf63c --- /dev/null +++ b/vendor-assessments/tpvar-github.md.bak @@ -0,0 +1,38 @@ +--- +title: "Third-party vendor assessment report: GitHub" +author: "Adam Richie-Halford, ROAR Information Security Officer" +lang: "en" +date: "2024-10-12" +... + +# ROAR Third-Party Vendor Assessment Report + +**Vendor**: GitHub\ +**Assessor**: Adam Richie-Halford, ROAR Information Security Officer + +## Overview + +GitHub is a widely used platform for version control and collaboration in software development, known for its comprehensive security practices. This assessment evaluates GitHub's compliance with industry standards and certifications, verifying its suitability as a third-party vendor for managing ROAR's code and development workflow. + +## Certifications and Compliance + +- **SOC 2 Type II**: GitHub complies with SOC 2 Type II, which validates its security, availability, confidentiality, and privacy controls. The certification ensures that GitHub maintains effective data protection measures and robust security controls. +- **ISO 27001**: GitHub is certified under ISO 27001, an international standard for information security management systems (ISMS). This certification demonstrates GitHub's commitment to systematically managing and protecting sensitive information. +- **Cloud Security Alliance (CSA)**: GitHub has undergone assessments under the CSA STAR certification, which evaluates the security of cloud service providers. + +Compliance details and reports can be accessed through the [GitHub Security Page](https://github.com/security). + +## Security Practices + +It is important to note that GitHub's security compliance confers no security benefits to ROAR if ROAR developers do not follow security controls. I recommend that all ROAR developers adhere to the following security controls. + +1. **Access Control** Access to GitHub is performed using two-factor authentication and is restricted to authorized personnel. +1. **Code Review** Code changes must be reviewed and approved in order to progress through the software development life cycle (SDLC) and deploy a version to production. +1. **Code Vulnerability Scanning**: Vulnerability scans for the source code are performed to identify security issues. High/critical issues are remediated in a timely manner. +1. **Automated Tests**: A successful test result is mandatory in order to continue with the SLDC and deploy a version to the production environment. +1. **Test Failure**: In case test failures are detected, a notification is sent to relevant stakeholders. Any code change with a failed test cannot be deployed into production. +1. **Change Approval**: All code changes need to be approved/authorized, prior to being deployed into production. + +## Conclusion + +GitHub's compliance with SOC 2 Type II, ISO 27001, and its robust security practices make it a reliable platform for managing code and collaborating on development projects securely. diff --git a/vendor-assessments/tpvar-github.pdf b/vendor-assessments/tpvar-github.pdf index 133ce70c08879f71218bc90370b7444dae2b5215..44b9733baf3b48660880cdfaed7578adcd58c430 100644 GIT binary patch delta 3979 zcmai%S5T9Ux`hp)Mw)P3{{a9Kt2!jS@t-i7q7tAK!Gul4(ST})TTJzqHmpS|T-EArZwi|V~j{RscM|E@UY@0#k z*yK09KEzg=mukiR^zC7IPt-E+W%J3?$j!;K*+=_BVV{!)0%MT578~}pX@O_`Zy{Ib z39xjw%s`s-47HcqVu)#UZ{U87hfV^rME#w_w1@BOH8E0NR`#3)XGRf2PVD5;<$(wG9|tmWwEG*xcY zu5}VZ(sCG^@_a{$E0FU(VI#w@j?>v)+bqdiHZ{zDmH+K0nQ`nJK5u@o^P+;E``nMl zR?Kp_Pg|V-hEO{3EI_)cmsZmjAYWwM&_MWTJwJpTFDKnB!EfP%d`~;E8rs9M^WtzCCrp_`%rcq) z5o`g-6ivN}@0G{;y@lF`8J;u=SH1ApdSG9Y&MRQ{=L}h3%e!n9>!>UC-BeYH7n-4_ zVHCV#MA~@AIn>R`bWC?sy-SU7VxG`2jRq3pjhnUt_^vcU8n~XbRQ> zC!G^Sm%RBjmVd@t`s#eS#}!037v(V=YupWtvr#tWl)xxEzy)p<6|eg1B;v-^hBI7Z zWLuM6FwcX0JhJf6>VmyL&U7f%iqGrUd?MVfwv_jp-hgC+R~?plgkBFdHtLgA5a!Eg zGcVD*q{U9xFdOHi%lDb($oI^J%SO~ZzfdxsR`RM}NF#A#at6lPMF!^Z0cvEc-6@bG zU*kS;m@S^kZd3QCnl0sy9^z(G06r^Q4qt6qfTt>1@OpGUR*HjLESscnj*G;AZrBVu z&Q6d1lvF<5b%eu#Af-2-9Nu(v0<)Nw!osG1(iC%B4Py3$4n-ARUGag+;1HW*)!hB6 zGV3GRXd9l6sqS~YrsRtZA=cKG*2L+0N6# zES{4{pNwqzFh(w0z2x$cr%Tfu?7BK0^l04%R|!woxX=k$M9K8E5Q1(KXIlyHO=5{z zPQlG&R_{!l(+2mxKGNxds&rx$E9`&cGXm3-$ zI^NIU6MS1E_6JcyQG|(a2u7ExzIaktQbR(HC&g`@>p3M}KLrAR&};xYUovl`Jlg^> zrpWJs7^+Wb1P@72uzDU6(4!3!6udrs3ses#K_TiD_CO7Pg=GEdA!wO|1dXU)_yc+l zri4qtkO(9ko?>|p;`omXItLZAqa-2X7_8@WFQ}vx{Qu_)jzIl;uDZ;z9!p!A%~P<1lF9ir%YM1_YBOz)&_ns;bzN$bdU&4P(#2V`v-bG1DhHH``t9%S-!j(T zW@fblj5-L>G`mr$l{Dt`d>xKHe#}cJhQ}ffMiNT`k*P`PT787t*IxYvP^x}xLS8>v zZ=$U=wt)X&5T5^l9(bS4mzpU2Sp~w-XGFu$W8}feAfQY_%j=yNlUVFvpD? z5&VJ-;T{lCKrR>Q4J6 zWFxxMTF{br=}E_Y@`O}5ui~=-U}fioiv8&iaFryR`yc5g%fNq{mKB2~xz%E5o z72Tx^PQG{{ah}QDhGQh#T{1LIL+#eQsKci~! zwz!7`P*iL5@_{bX4k0!jF*g>d?PTuyDyXwHK)?()Ou7fOM}j|?EwAzR#Hq?j$v?h; z6Mt-O&txiPce&>o{8Xg8=`#D2{#N5DO3UV(u>Kne!l0d7CF+`D)&f9T>;v{rC7~RK z-Q!Xd`K)yP)W&OPQsP-yg=Xb}K6oNGO~a-Z@b$Ye0?3+}~kNNwvIZVBKadY0PDE;I8c1&HGH2zU6^UxVC}ZZ+Pj=?v+_W#t#M3 z=nPu2>Ub5>h3q9W?}40+^JBPi{m`L(hRxVs(^gQd4E0p5gOghe)~$}_SIK!^hUYvF zAhG3FDyXh?+J_2z!67EY!5gaXq`Ox$G$i|ykTLF>G3$TgpquAMKIl1{g)KB`3AGV# zFhV)S8RXDy12?O~Q>oN=$t5_0G*LU4OkJQbcN8E9_#~Y95dGzyGW)I2PTtyPP7ImIV zGJBZ}7`eytb+V~Y^@xm8Mem0WR|*LR>R8#5^Va8frnU+x6Y>RPA2Xv!OZ1wtTRCd! zt|O(oh7?uuze#Z>;s&>4%kSUQ@rrc28Eo9YVMv+ByU4hnAk*bRK<;KS4~MJ(1}pF3 z`p=o4ZhU`L4VvfrPyLL5Rm>Rrli{-&IOjm-aXd(7F4>n z(tJ$cGLs*HzcwfO_7=xc1d*z#==%DCFv#AkAWi9koxH7vpM|ywQL3L07-qR2IT6+n z{g^p0FsnTKx1a^5oB52|elJ}fz*y?eF?ClU!i1B@P`g(j^}9|b-ph!UE{gteq+U%w zo;(Nh_QRM|#AK>q{}Zl>AV`L7X7BJRE`2JuBo*y2@xG9|Iw0m@AQ$cYi?aju{wHEp z=CSXpiFNomWyyhUXGe?Q^%5=X#@O#@`^d24>4%WhfoJkL7v0xmU4=7<0G`G79eG8T zmI{^-pP9DntBVrF^i(%t2T7gNZnqI%vNQ7rS?T38CV$YWilW`&3+mTDVf&h=e}Shn z{PA#KTy6;+*x4huT2I!t#HfJ7>+iFPpCry7u!-ZO`%dvg!W-!;^}6RDd9Rumk&tYP z1a$MM={^~-Fn_{FG_wYhS|&%UNoKxPq-p2R6)e@i!#qatC)YRu!uhNy zC@Z@SU2}vcS)-h;QTv12DkA2EiNeY0JEsxyw>%Q;muVJmB^i&$3o-6gGg}0m`}(t! zoYwg%4JFQZw7PW?+W|$=Bb@ck&0qHPK4*^zZDL z+iHPdswTT59Y|3#`kJ;QwLwZui#<{dUvSg+r$Hm3QuJS5_ZR-s2n(M~iX6MRe(!Rn zJJNc_XXsX8?rWd|E&7j+h}Jcmo$~$d^pGySwB361%pU%WuHedA<+UF|rW#J__t7=C zpEdGdyr^?k3hV%cy9e?L?i6Y^dXmnGcE$DW9}twdzn8uL@kV_8>}%_H)2Uv0?}6k- z=h8C3%IZ?l%&aiuw{yMe)Mm-YKjX;r-$tjF#+OZ5i^!hn#-af2$vr9n59YP{#YwCSC+6?A%qPM?*onFT@fc$@%yCHzLe%VGa>V)VWd=0f*diKCXq76Yg!?(dsjo?hB%0m+njx+FR-M#gnw&PAVMH z4?hN5yLkI<`9E8~=W@UnL`i@i>E|&EvU!&6i(x<8`OddRdCy(BDj&_&we=}NEB1%H zTY0+*GUqs#i&{?$aSARwo8~MrS2U`V75_jS-0h!xc{|`W70MZH~ zZjAMJfTEEQaWkl;1QY?4_?sDdcz8k4@V_)^1QFMAcl3aw5&t%7P)j*=WoZ~fMMYg& zOH)q=dgymiXpw)$hOAC zFY4Q?_;yrUZ3RPeXOP?hiJTJV(M!_rXlap&JPT3YeMw%73AX}|Fso*<=D3eo>Prr} z1u|}(Pjs}Tw&co`%B;Nf;jEoJAgxqYs!@@_-fc(db?K8}Ii@U1hX=}JCA&1pqR%Xn zSyUf}U!v}2gZb8A9jyMtW>mx(OY)Ke+cATqor|Dp@1vDtk0vsL9oTZZos0IVNeeNO ceMsGU7sKeE5>HOT4MD=u5CH*oeGKG(0D?PqFaQ7m delta 3859 zcmai%X*kr48pfL;G_vpe$U5^{W|+mkjWs*jRm4zXY(pXbp%9TRTh_9Nh!7*Pl_g9= zwh%%R*^RaHp6e`M&WH2ud7kUO?&sU@y6@>EhUP?uTGtDF3K%E?>U-lhL`@AMZ-OUy z5^qA02rLGgCdw=YRNEQ{PGeZ#t=Vnb`t?TfKn>5eRS@!&D17E_GoJ;eQyM3%isA8n z((UgUWePKwO7m79LNks}_Pe5zN#e<*XIl0^jyd6XwHd7+qpkSPiY^USFXhKqKd0|~ zq{|w0hn171V0-jTu})n;>vWm*g^qW{@ncuVd~Z21a-2EuzY(9C?X-$5o?>a~1tK>Mh8a`~V_`u$Gil-s`WM34N z?~rzHFK11+=yHw1J>RslK40IKc5s}f+VHlnaUT<{7N@51{{FRdxl`W+REor_=P%V8 z9HXa(d#}O)nYHl}r<1U&%7e7e${g!M4JDM6Yv1d&46cs0kHi@JvvuI|>a%xXlL$F$ zSQg+Co&O=@#=0}sO-8;biOEf1|C5&R7rdQojdC_Mg2!8gsNxv5VA!VaKb!XU$=5rr zr2<|@M{g#pqh{f8`4OjwNu$WDmnv*LtU8gVGUc5>aHhVs>_lML zujtySnKFpi?Wq+0Z94kr<|)QC>B@J0!k`m41L5$ZB@4>NNC=ylM(d9canWhdq1^{? zoAvj=cIgkf&u=#`{l4UbzJLzZ}jkJAAjtpDYyhDs?3i) zioEZ&Qu)QQkzpfA&_*WoW{b7XyXE=zBBw1OpydLyA2K4|Iq<4Ics{AWanydm<5{x7 zZJHnJ=-#{*F1ovNawnnvMi?)rm2suo$d3J1nhBbR>$mCS!&DVI?r!E*sfm~Tu(xZf z(9K9}wQ2Wx7n0AqC(}96oV`0`6V28}eaNe!i7@CMimeT&(B6BM_sxzvo1_@>hcj$L74LgxTQY}J?vN=Oo$Ye&t0+2N-> zx$!u{O2#~}Ec+8b@7|Wt1(|LM)oa93Lb7R~Z;twpi=%A@@*0CQn zE46wwf8u$2Kyax2&AS`cq@zR4GqZWO%FSWAWXAlw`pS#waPN$ly?NR$lmon(fHBeT z*mUGBv31g5N}b4-mZtq%LoE*lnGl<$A7S7Rf>E7mVEDeZ#M=q4dB=*Aitjctlt2Q|^8%`c2?)+XDM9q_x?5SucL%I^DQV7V)=go@4Pb_2Hs%&4egg z#JFMynyq>ns;cS)jXYvbj&i48;|DO`OeJ6z12f?TEBlMrj3l!>92L5X{Rb6gQN~%A z45LBXVe#cFoy8u##;nMMg3m}VAA?X2j%324GE0lF=h-bEy3`24q;KE)i zV|>L0A_HcMxIC{H+ih$(2KHV1C2k37G4rPc&j7aVhow~S*~=wc+CNqML< z_~X_k;zg=DbyJ?hH46lQFDaGKCgR>~=BMbfFLLX9m1RAIvxsuT#nY2vy^oSEJb2*F z9VediIPxawLl#;1Dr28`0yL@`F#EPn_8+8;;?~3&X1%`)_UHFwc#KQs;=PkBBbqNW z!n%x-@#FnKs?P!Gt8zg7h3CdOWG zAGGR~k9~40R%C?&&$E>X)E%EcZ5UkXk(Oo4RoaBL4abP={QhO@(jf^nmXUB@-Q~rj znTt7Hq~yi+$iy7ngsd%dg%HsZzUUnb3?>{m#BF!q|1&sDMXE3i-`{-#=k+P1Lw?rZ zt)e&7KX3_XcsVf=91Af>DNZn9S_txcdnP9 zO3MyDZ!oYg?H8enGULLfWhY?=WP;6SbxwSxa}wrcGGv2Y^dwx8iN#a`|cmm;T6cP7V^yhdz%!7!|Y%H2PGVU0xpI z;MrazS>iF}x6A~brot;_pGo@MDVS2I3>u11#Cj#vv`n)O{^sW##6Z~YujpSR6YD*G zO;790G>$Abk}6XUMo#$Ayfq#>z0(0R)2;#^mp1*ownw4JTkh3a&r5fGL^>N;>=Icl zJ4joS(?UA~F)kAb8=pIC4DCLTIA3*SHwopS^q&e)gH(ZukgfhCV9)n z*=9l4)48A4?65R!NEHImqOq!{S`dtsU(`kqRpa(oQ6)u|nVk+rDO`^3QHJj~p>J`H z%W6ny9m?pQi3$0NdW>pm#IaK2FvqIiv)Sej_DFF~`Zf;an}kw_bA%L8Rh;yEO?NoK zzmQFZ8*q42Mq#Ze?DGHR0^AehXv)YJA9A3wO4}J^@So~z3xt#3n3L(Y)u(8~H!~H? zL!I7qJYaXBCxU|5rntb;Ib_=3r7#0K-zFf|+{K$aJagMZS_y_h!vX3D) zaW&Wl^bjXRpX!tTWbIM@eW#ATP|)qmoUo$U0szJH!J@FciHm7CjD`HtG*k}_snuD& z@!~X2)0M|ZR6q^y(oBNoNmbPf*NUmhO5o}Wi8JHAPeLyLev=T$9dNG@>wO>>DirQO z)jfhSyK__%1jfCq>dM{ENpeaF_&7Z`z`zFS^%#zLot~E&&{&GWhK#-!p_eZxE_C@) z0Tp{=^B-qwMgx{9pDIb^zbV6AQiIOns|Uk!XZN@$=`ZISx<7?bkp*9)Zz|lA$*!o- z?9E+DhIiv|NfvyupGuM&1fPmsb|j4$M#j_^P=5J4gSd%CuunoaJcFqY=v?;~FIE@D z@!&_mQ;nH#Ut;2~^O$si6?(g(iEOKCEF7pUvG4)k z-83Sy6DhD^>I2O!*l>u3>EYvH>8ClxEH2^x-L7Y7h+!o|Mp#5r| zr*TttUbCm=S1vHsxy5W`>j)aM)X=VbnDg_NJ#Ikc%*<$4{E09d6UkEGJ12%jVGlrvWaY0?IUmSMJAqcuq&ni zRQkrbV9?AieRslU0)&ieW|fW`l;SiHWDJt_H`@`&pzbBIy%=R4zS#8QQLP=i`D300 zNNwWUlBwy?LZNQ9rVJ(PL3@Zx1BRhKA$0}ySAYB$aY81urih%1#oRp5?tU=VT>M)x zg~-Rit;l}SdF6U3UoUHLdzisH{F>@D3z@!&$HH>ng>2@4B($$Os@)$;c=Jed`o}>?)hcok z+hTBhg>nzG*|gtJ?lKN9e}YV0vYeoUR_M(P_EjsLVrH{#^1KaNrcy4!tS(y7nOA+X zM85f@2IRWL_)&}T9MLX3{QEOD+52nT&y4K(LkPRK z#R@Yyo2W3)T$Xd%+5T}eBW%6ME12wdbYX?_k5#F$)vw6aMeX<-8P^9t-#Tr}>MQ97 zXub=oFJ;c}f;d3RnRVyEq5$G5MBe&VC?1MMK;-S9PDrRC6#4hf%GZ|&#bEy~a#j#| zBZ7x76r=R-MHlL%rme4w(bh%lV-$1{`pViUZDkx*8Kr>GN28T+iUM1e{l$dw z-|Y~ChW;x`35{Tx!P>04kxLw+`~ zN)bCl2wf^XwKk8X_gm~aT31?8hAvvcxciKjaoU3Hi1RE~@Sz?;u_%qhM{Qw<#RGJD z;l;nowYV}YqE%!HL8e(aM!Jz0QDWgs_SR{|(8^L%g7x)1|I