Conversation
bsi mappings to gv Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
SecurityCRob
requested review from
eddie-knight,
evankanderson,
funnelfiasco and
puerco
| - reference-id: BSI-TR-03185-2 | ||
| entries: | ||
| - reference-id: GV.01 | ||
| - reference-id: QA.04 |
There was a problem hiding this comment.
I feel QA.04 is not aligned in this case. Apart from this the remaining reference mappings are consistent. CC: @eddie-knight
There was a problem hiding this comment.
OSPS-GV-03 is explicitly called out by BSI when they did their mapping. I would prefer not to adjust their work without their inclusion.
There was a problem hiding this comment.
@SecurityCRob I'm curious about that comment... I typically expect the document to contain outgoing mappings. So this is our claim that completing this will give some level of completion to the other control. Any claims they make are independent, right?
There was a problem hiding this comment.
yes, fulfilling osps controls helps support downstream in defending their compliance to auditors. "Compliance" is always in the eyes of the auditor, but the mappings reflect where tasks are aligned or support that defense.
There was a problem hiding this comment.
I think "explaining the contribution process" is aligned with "procedures for testing", presuming that the project documents running the tests when contributing code.
I'd suggest there might also be a mapping to BR.01 ("how to build software assets") here, implicitly.
There was a problem hiding this comment.
See #460 (comment)
The BSI mappings are based on the 2025-02-25 version, so they don't "see" any changes or improvements we made either on 2025-10-10 or since then. This means that we can't really directly say that the BSI mappings are "authoritative", because they are pointed at something immutable in the past, rather than the next-published version, which is what these PRs go into.
evankanderson
left a comment
evankanderson
left a comment
There was a problem hiding this comment.
I'd argue that GV-04 ("code contributors reviewed prior to granting escalated permissions") should have a mapping to GV.02 ("the project's ... MUST be protected against unauthorized actions"), even though it's not in the BSI TR-03185-2 document.
| - reference-id: UKSSCOP | ||
| entries: | ||
| - reference-id: Claim 2.1.1 | ||
| - reference-id: Claim 2.1.1 |
There was a problem hiding this comment.
Why add an extra space here?
There was a problem hiding this comment.
| - reference-id: Claim 2.1.1 | |
| - reference-id: Claim 2.1.1 |
| - reference-id: BSI-TR-03185-2 | ||
| entries: | ||
| - reference-id: GV.01 | ||
| - reference-id: QA.04 |
There was a problem hiding this comment.
I think "explaining the contribution process" is aligned with "procedures for testing", presuming that the project documents running the tests when contributing code.
I'd suggest there might also be a mapping to BR.01 ("how to build software assets") here, implicitly.
4 participants
bsi mappings to gv