Meshery Security Self-Assessment refreshed

[Mia Grenell]

Hi Everyone,

A few Meshery maintainers spent time refreshing the project's security self-assessment this week. 

https://docs.google.com/document/d/17BqoEibnFdgx1U97AwM4RRkEbwTin_T78_W_WzB-0Gg/edit?usp=sharing

Please review and remark at your leisure.

Best,

Mia

[Mohd Hamza]

Hi Mia, All,

I spent time reviewing today and offered a couple of comments in the document. One comment that I think is worth repeating here and being heard a bit more broadly is that of any ongoing reference to service mesh technology. I think most everyone here understands that the genesis of the project was in part in context of that specific technology, however, the project broke free of that constrained association some time ago (i.e. . I think the continued association with this technology (even simply the mention of it) does the project and all of our hard work a disservice. In my mind, when people become aware of the project, as they give it a cursory look, and if they stumble upon those two words, service and mesh, they quickly conclude that the project is only useful if they are using those technologies; those two words only serve to reinforce the individual's internal feeling that the "mesh" portion of Meshery's name was in reference to service mesh technology. 

What I am saying is that I think to the extent we can simply not mention that technology, all the better. I know I've heard some of the other maintainers and Calcote say this a handful of times, so I assume that there's I understand that there's no disagreement in here, however, it doesn't hurt to reinforce that the absence of the words is probably the best choice in most cases, including in the security self-assessment. Or at least that's my opinion.

Regards,

Mohd.

----

TCS Labs

[Lee Calcote]

List of known security vulnerabilities has been updated - https://docs.meshery.io/project/security-vulnerabilities/