Currently, anyone can check off the "security review" service, and be listed in the marketplace. Without pointing any fingers, there are organizations listed there that I'm fairly certain are not qualified to provide a proper security review.

I'd like to propose that the "security review" service on the marketplace be treat more like the 'hosting' services. That is, an exclusive service that entails some extra steps before being listed.

After a brief discussion with mlhess this morning, we came up with a couple quick ideas:

  • Assign one or more security issues to a candidate to fix (under the supervision of an existing Security Team member)
  • Subsidize an employees participation on the Security Team (5+ hrs/wk)

But really, these are just off-the-cuff ideas. A broader community discussion is probably worthwhile; hence this issue.

Comments

ergonlogic created an issue. See original summary.

mlhess’s picture

mlhess CreditAttribution: mlhess as a volunteer commented
Issue summary: View changes
mlhess’s picture

mlhess CreditAttribution: mlhess as a volunteer commented

I would be ok with the company providing evidence that they can do a "security review"

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
CreditAttribution: ergonlogic at Ergon Logic Enterprises for Aegir Cooperative commented

From https://assoc.drupal.org/about:

The Drupal Association has no authority over the planning, functionality and development of the Drupal software.

This would presumably complicate the DA's direct financing of the Security Team's activities. Still, it would be nice if eligibility to be listed as offering security-related services, supported the team's efforts, even if perhaps not financially.

mlhess’s picture

mlhess CreditAttribution: mlhess as a volunteer commented

I am less concerned about the funding of the team, and more concerned that we are recommending folks that can do a "real" security review.

Just like with hosting where we run a simple test to make sure folks are following best practices.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

This makes some sense to me. It's easy to check off boxes in the hopes of picking up work.

colan’s picture

colan
he/him
Primary language English
Location Toronto 🇨🇦
CreditAttribution: colan at Colan Schwartz Consulting commented

What about setting this up as a new revenue stream for the DA? The DA can start offering security reviews by taking a cut, and then handing the jobs to trusted service providers.

The only real work here is figuring out who's trusted, but there are already some ideas in the description.