Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1003

[SA-11(1)]: Reach out to prodsec to find out if there's been progress on the static analysis side

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Normal
    • None
    • None
    • None
    • CMP Sprint 35

    Description

      SA-11(1) asks for static analysis to be implemented. There's been recently an effort by prodsec to run tools developer by Kamil Dudka. There even seems to be a report:

      https://docs.google.com/document/d/1Ob0hEWdWebM5Nvi68ab6iO-9SL555bKADjLX4EbVOmc/edit

       

      But at the moment, it is unclear to me how the whole process works and at which point are the flaws pointed out to developers and acted on.

      The control requires that:

      The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

       

      Acceptance criteria:

      • find out if the work done by Kamil and prodsec is enough to satisfy SA-11(1)

      Attachments

        Activity

          People

            jhrozek@redhat.com Jakub Hrozek
            jhrozek@redhat.com Jakub Hrozek
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: