Security Assessment Questionnaires (Vision)
Problem to solve
Security should start very early in the development process. It should be there from the beginning, when the new application is initially envisioned and planned.
In this way, security will be a first-class target and not something that should be added later in some way, or even worse, forgotten until a major security incident will happen.
That's why it is important to have a feature to push security into the planning phase. This allows also early involvement of the Security Team to discuss and help starting with the right approach.
Proposal
Include Security Assessment Questionnaires to the GitLab workflow, so there is an easy way to create, fill in, and review if the security aspects have been considered when planning a new application.
The feature could be accessed with some dedicated button/link so it will be easy discoverable by any user, and maybe suggested as a possible action for new projects. We don't want to enforce workflows, so it should not be mandatory.
Once the answers are available, they can be reviewed and discussed with the Security Team.
There are some tools (e.g., https://github.com/google/vsaq) that already implement a flexible way to have this information.
What does success look like, and how can we measure that?
Number of projects using Security Assessment Questionnaires
Links / references
- VSAQ: Vendor Security Assessment Questionnaire: https://github.com/google/vsaq