Remove global.json and add extensive documentation for SBOM-first supply chain spine, diff-aware releases, binary intelligence graph, reachability proofs, smart-diff evidence, risk budget visualization, and weighted confidence for VEX sources. Introduce solution file for Concelier web service project.
This commit is contained in:
StellaOps Bot
@@ -0,0 +1,58 @@
|
||||
Here’s a simple way to make “risk budget” feel like a real, live dashboard rather than a dusty policy—plus the one visualization that best explains “budget burn” to PMs.
|
||||
|
||||
### First, quick background (plain English)
|
||||
|
||||
* **Risk budget** = how much unresolved risk we’re willing to carry for a release (e.g., 100 “risk points”).
|
||||
* **Burn** = how fast we consume that budget as unknowns/alerts pop up, minus how much we “pay back” by fixing/mitigating.
|
||||
|
||||
### What to show on the dashboard
|
||||
|
||||
1. **Heatmap of Unknowns (Where are we blind?)**
|
||||
|
||||
* Rows = components/services; columns = risk categories (vulns, compliance, perf, data, supply-chain).
|
||||
* Cell value = *unknowns count × severity weight* (unknown ≠ unimportant; it’s the most dangerous).
|
||||
* Click-through reveals: last evidence timestamp, owners, next probe.
|
||||
|
||||
2. **Delta Table (Risk Decay per Release)**
|
||||
|
||||
* Each release row compares **Before vs After**: total risk, unknowns, known-high, accepted, deferred.
|
||||
* Include a **“risk retired”** column (points dropped due to fixes/mitigations) and **“risk shifted”** (moved to exceptions).
|
||||
|
||||
3. **Exception Ledger (Auditable)**
|
||||
|
||||
* Every accepted risk has an ID, owner, expiry, evidence note, and auto-reminder.
|
||||
|
||||
### The best single chart for PMs: **Risk Budget Burn-Up**
|
||||
|
||||
*(This is the one slide they’ll get immediately.)*
|
||||
|
||||
* **X-axis:** calendar dates up to code freeze.
|
||||
* **Y-axis:** risk points.
|
||||
* **Two lines:**
|
||||
|
||||
* **Budget (flat or stepped)** = allowable risk over time (e.g., 100 pts until T‑2, then 60).
|
||||
* **Actual Risk (cumulative)** = unknowns + knowns − mitigations (daily snapshot).
|
||||
* **Shaded area** between lines = **Headroom** (green) or **Overrun** (red).
|
||||
* Add **vertical markers** for major changes (feature freeze, pen-test start, dependency bump).
|
||||
* Add **burn targets** (dotted) to show where you must be each week to land inside budget.
|
||||
|
||||
### How to compute the numbers (lightweight)
|
||||
|
||||
* **Risk points** = Σ(issue_severity_weight × exposure_factor × evidence_freshness_penalty).
|
||||
* **Unknown penalty**: if no evidence ≤ N days, apply multiplier (e.g., ×1.5).
|
||||
* **Decay**: when a fix lands *and* evidence is refreshed, subtract points that day.
|
||||
* **Guardrail**: fail gate if **unknowns > K** *or* **Actual Risk > Budget** within T days of release.
|
||||
|
||||
### Minimal artifacts to ship
|
||||
|
||||
* **Schema:** `issue_id, component, category, severity, is_unknown, exposure, evidence_date, status, owner`.
|
||||
* **Daily snapshot job:** materialize totals + unknowns + mitigations per component.
|
||||
* **One chart, one table, one heatmap** (don’t overdo it).
|
||||
|
||||
### Copy‑paste labels for the board
|
||||
|
||||
* **Top-left KPI:** “Headroom: 28 pts (green)”
|
||||
* **Badges:** “Unknowns↑ +6 (24h)”, “Risk retired −18 (7d)”, “Exceptions expiring: 3”
|
||||
* **Callout:** “At current burn, overrun in 5 days—pull forward libX fix or scope‑cut Y.”
|
||||
|
||||
If you want, I can mock this with sample data (CSV → chart) so your team sees exactly how it looks.
|
||||
Reference in New Issue
Block a user