diff --git a/docs/persistency/docs/index.rst b/docs/persistency/docs/index.rst index 62a2a1fd..1fcafe24 100644 --- a/docs/persistency/docs/index.rst +++ b/docs/persistency/docs/index.rst @@ -23,5 +23,7 @@ Module Documents Persistency manual/index.rst safety_mgt/index.rst + security_mgt/index.rst verification/module_verification_report.rst release/release_note.rst + diff --git a/docs/persistency/docs/security_mgt/index.rst b/docs/persistency/docs/security_mgt/index.rst new file mode 100644 index 00000000..49998d3c --- /dev/null +++ b/docs/persistency/docs/security_mgt/index.rst @@ -0,0 +1,23 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Management +################### + +.. toctree:: + :titlesonly: + + module_security_plan + module_security_plan_fdr + module_security_package_fdr diff --git a/docs/persistency/docs/security_mgt/module_security_package_fdr.rst b/docs/persistency/docs/security_mgt/module_security_package_fdr.rst new file mode 100644 index 00000000..e2b59424 --- /dev/null +++ b/docs/persistency/docs/security_mgt/module_security_package_fdr.rst @@ -0,0 +1,68 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Package Formal Review Report +===================================== + +.. document:: Persistency Security Package Formal Review + :id: doc__persistency_security_package_fdr + :status: valid + :safety: ASIL_B + :security: YES + :realizes: wp__fdr_reports + :tags: persistency + +**1. Purpose** + +The purpose of this review checklist is to report status of the formal review for the security package. + +**2. Checklist** + +.. list-table:: Security Package Checklist + :header-rows: 1 + + * - Id + - Security package activity + - Compliant to ISO SAE 21434? + - Comment + + * - 1 + - Is a security package provided which matches the security plan (i.e. all planned work products referenced)? + - [YES | NO ] + - + + * - 2 + - Is the argument how security is achieved, provided in the security package, plausible and sufficient? + - NO + - The argument is intentionally not provided by the Project. + + * - 3 + - Are the referenced work products available? + - [YES | NO ] + - + + * - 4 + - Are the referenced work products in released state, including the process security audit? + - [YES | NO ] + - Security audit is currently not planned, tailored out. + + * - 5 + - If security related deviations from the process or security concept are documented, are these argued understandably? + - [YES | NO ] + - + + * - 6 + - Are the requirements for post-development available? + - [YES | NO ] + - diff --git a/docs/persistency/docs/security_mgt/module_security_plan.rst b/docs/persistency/docs/security_mgt/module_security_plan.rst new file mode 100644 index 00000000..03c602b9 --- /dev/null +++ b/docs/persistency/docs/security_mgt/module_security_plan.rst @@ -0,0 +1,227 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Module Security Plan +******************** + +.. document:: Persistency Security Plan + :id: doc__persistency_security_plan + :status: valid + :safety: ASIL_B + :security: YES + :realizes: wp__module_security_plan + :tags: persistency + +Security Management Context +=========================== + +This Security Plan adds to the :need:`gd_guidl__security_plan_definitions` all the module development relevant workproducts needed for ISO SAE 21434 conformity. + +Security Management Scope +========================= + +This Security Plan's scope is a SW module of the SW platform :ref:`module_documentation`. +The module consists of one or more SW components and will be qualified as a EooC. + +Security Management Roles +========================= + +.. list-table:: Module roles + :header-rows: 1 + + * - Role + - Assignee + + * - Security Manager + - TBD + + * - Module Project Manager (= Feature team lead) + - TBD + +Tailoring +========= + +Additional to the tailoring in the SW platform project as defined in the :need:`gd_guidl__security_plan_definitions` we define here the additional tailoring on module level. + +| - Excluded for this module are additionally the following workproducts (and their related requirements): +| - No workproducts excluded + +Security Module Workproducts +============================= + +.. list-table:: Module Workproducts + :header-rows: 1 + + * - Workproduct Id + - Link to process + - Process status + - Link to issue + - Link to WP + - WP status + + * - :need:`wp__module_security_plan` + - :need:`gd_guidl__security_plan_definitions` + - :ndf:`copy('status', need_id='gd_guidl__security_plan_definitions')` + - + - this document + - valid + + * - :need:`wp__module_security_package` + - :need:`gd_guidl__security_package` + - :ndf:`copy('status', need_id='gd_guidl__security_package')` + - + - this document (including the linked documentation) + - valid + + * - :need:`wp__fdr_reports` (module Security Plan) + - :need:`gd_chklst__security_plan` + - :ndf:`copy('status', need_id='gd_chklst__security_plan')` + - + - :need:`doc__persistency_security_plan_fdr` + - :ndf:`copy('status', need_id='doc__persistency_security_plan_fdr')` + + * - :need:`wp__fdr_reports` (module Security Package) + - :need:`gd_chklst__security_package` + - :ndf:`copy('status', need_id='gd_chklst__security_package')` + - + - :need:`doc__persistency_security_package_fdr` + - :ndf:`copy('status', need_id='doc__persistency_security_package_fdr')` + + * - :need:`wp__fdr_reports` (module's Security Analyses) + - :need:`gd_guidl__security_analysis` + - :ndf:`copy('status', need_id='gd_guidl__security_analysis')` + - + - + - + + * - :need:`wp__audit_report_security` + - performed by external experts + - n/a + - + - + - + + * - :need:`wp__module_security_manual` + - :need:`gd_temp__security_manual` + - :ndf:`copy('status', need_id='gd_temp__security_manual')` + - + - + - + + * - :need:`wp__verification_module_ver_report` + - :need:`gd_temp__mod_ver_report` + - :ndf:`copy('status', need_id='gd_temp__mod_ver_report')` + - + - + - + + * - :need:`wp__module_sw_release_note` + - :need:`gd_temp__rel_mod_rel_note` + - :ndf:`copy('status', need_id='gd_temp__rel_mod_rel_note')` + - + - + - + + * - :need:`wp__sw_module_sbom` + - template not yet created + - not started + - + - + - + + +.. list-table:: Component Workproducts + :header-rows: 1 + + * - Workproduct Id + - Link to process + - Process status + - Link to issue + - Link to WP + - WP status + + * - :need:`wp__requirements_comp` + - :need:`gd_temp__req_comp_req` + - :ndf:`copy('status', need_id='gd_temp__req_comp_req')` + - + - :need:`doc__persistency_kvs_requirements` + - + + * - :need:`wp__requirements_comp_aou` + - :need:`gd_temp__req_aou_req` + - :ndf:`copy('status', need_id='gd_temp__req_aou_req')` + - + - :need:`doc__persistency_kvs_requirements` + - + + * - :need:`wp__requirements_inspect` + - :need:`gd_chklst__req_inspection` + - :ndf:`copy('status', need_id='gd_chklst__req_inspection')` + - n/a + - Checklist used in Pull Request Review + - n/a + + * - :need:`wp__component_arch` + - :need:`gd_temp__arch_comp` + - :ndf:`copy('status', need_id='gd_temp__arch_comp')` + - + - :need:`doc__persistency_kvs_architecture` + - + + * - :need:`wp__sw_component_security_analysis` + - :need:`wp__sw_component_security_analysis` + - :ndf:`copy('status', need_id='wp__sw_component_security_analysis')` + - + - + - + + * - :need:`wp__sw_arch_verification` + - :need:`gd_chklst__arch_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__arch_inspection_checklist')` + - + - Checklist used in Pull Request Review + - + + * - :need:`wp__sw_implementation` + - :need:`gd_guidl__implementation` + - :ndf:`copy('status', need_id='gd_guidl__implementation')` + - + - + - + + * - :need:`wp__verification_sw_unit_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - + - + - + + * - :need:`wp__sw_implementation_inspection` + - :need:`gd_chklst__impl_inspection_checklist` + - :ndf:`copy('status', need_id='gd_chklst__impl_inspection_checklist')` + - + - Checklist used in Pull Request Review + - + + * - :need:`wp__verification_comp_int_test` + - :need:`gd_guidl__verification_guide` + - :ndf:`copy('status', need_id='gd_guidl__verification_guide')` + - + - + - + +Special Note +============ + +Module security plan template will be refined and existing content will be synchronized as per new template. diff --git a/docs/persistency/docs/security_mgt/module_security_plan_fdr.rst b/docs/persistency/docs/security_mgt/module_security_plan_fdr.rst new file mode 100644 index 00000000..dd7c3588 --- /dev/null +++ b/docs/persistency/docs/security_mgt/module_security_plan_fdr.rst @@ -0,0 +1,111 @@ +.. + # ******************************************************************************* + # Copyright (c) 2025 Contributors to the Eclipse Foundation + # + # See the NOTICE file(s) distributed with this work for additional + # information regarding copyright ownership. + # + # This program and the accompanying materials are made available under the + # terms of the Apache License Version 2.0 which is available at + # https://www.apache.org/licenses/LICENSE-2.0 + # + # SPDX-License-Identifier: Apache-2.0 + # ******************************************************************************* + +Security Plan Formal Review Report +================================== + +.. document:: Persistency Security Plan Formal Review + :id: doc__persistency_security_plan_fdr + :status: valid + :safety: ASIL_B + :security: YES + :realizes: wp__fdr_reports + :tags: persistency + +**1. Purpose** + +The purpose of this security plan formal review checklist is to report status of the review for the security plan. + +**2. Checklist** + +.. list-table:: Security Plan Checklist + :header-rows: 1 + + * - Id + - Security plan activity + - Compliant to ISO SAE 21434? + - Comment + + * - 1 + - Is the rationale for the security work products tailoring included? + - [YES | NO ] + - + + * - 2 + - Is impact analysis planned in case of re-use of SW (needed for every release following the first formal release)? + - [YES | NO ] + - + + * - 3 + - Does the security plan define all needed activities for security management (incl. Review and Security Audit)? + - [YES | NO ] + - + + * - 4 + - Does the security plan define all needed activities for SW development, integration and verification? + - [YES | NO ] + - + + * - 5 + - Does the security plan define all needed activities for security analysis? + - [YES | NO ] + - + + * - 6 + - Does the security plan define all needed activities for supporting processes (incl. tool mgt)? + - [YES | NO ] + - + + * - 7 + - Does the security plan document a responsible for all activities? + - [YES | NO ] + - + + * - 8 + - If Off-the-shelf (e.g. existing OSS) software components is used, is it planned to be analysed? + - [YES | NO ] + - + + * - 9 + - Is a security manager and a project lead appointed for the project? + - [YES | NO ] + - + + * - 10 + - Is security plan sufficiently linked to the project plan? + - [YES | NO ] + - + + * - 11 + - Is security plan updated iteratively to show the progress? + - [YES | NO ] + - + + * - 12 + - If Out-of-context software components is used, are the assumptions documented? + - [YES | NO ] + - + + * - 13 + - Does the security plan define all needed activities for SBOM generation? + - [YES | NO ] + - + + * - 14 + - Does the security plan define regular vulnerability scans for the generated SBOM? + - [YES | NO ] + - + +.. note:: + Off-the-shelf means existing software which may used w/o modification, e.g. existing OSS