Concur on both. I've been in an appsec mode recently and sending people to the OWASP site so that came to mind, but CVSS is better known. I mentioned CVE directly as "MITRE" might confuse people, but probably not an issue. Wiki's been updated.
Any other feedback/thoughts are welcome… John On Jun 22, 2012, at 4:21 PM, Clement Chen wrote: > Hi John, > > It looks nice. Two comments: > > 1. Regarding risk rating, it seems to me that CVSS > (http://www.first.org/cvss) has wider adoption than the "OWASP risk rating > methodology". Every security vulnerability in the National Vulnerability > Database (http://nvd.nist.gov/) has a CVSS score. > 2. It should be "Security team works with MITRE to reserve a CVE > identifier". MITRE is the organization that manages CVE. > > Thanks. > > -Clement > > -----Original Message----- > From: John Kinsella [mailto:j...@stratosec.co] > Sent: Thursday, June 21, 2012 7:26 PM > To: cloudstack-dev@incubator.apache.org > Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh > Subject: Re: Query regarding where to store encryption keys > > OK - draft up at > http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure > > I think out of the 3 below, I like the OS and Eucalyptus pages the most, as > the stress that security is important and will contact will be responded to > quickly. > > Give feedback on the draft above - then let's talk next steps...I'd say we > need a security list, a php key behind it, a security notification page > somewhere on the CS site, and I wouldn't' mind seeing a twitter feed > specifically for security announcements, as well... > > John > > On Jun 20, 2012, at 1:21 PM, Clement Chen wrote: > >> We should set up a dedicated channel for security issues and handle security >> bugs carefully. >> >> Below are some of the examples: >> >> Apache HTTP Server Project: >> http://httpd.apache.org/security_report.html >> OpenStack: http://openstack.org/projects/openstack-security/ >> Eucalyptus: >> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures >> >> -Clement >> >> -----Original Message----- >> From: David Nalley [mailto:da...@gnsa.us] >> Sent: Wednesday, June 20, 2012 12:59 PM >> To: cloudstack-dev@incubator.apache.org >> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >> Subject: Re: Query regarding where to store encryption keys >> >> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <ewan.mel...@eu.citrix.com> >> wrote: >>>> -----Original Message----- >>>> From: David Nalley [mailto:da...@gnsa.us] >>>> Sent: Wednesday, June 20, 2012 12:32 PM >>>> To: cloudstack-dev@incubator.apache.org >>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>>> Subject: Re: Query regarding where to store encryption keys >>>> >>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati >>>> <vijayendra.bhamidip...@citrix.com> wrote: >>>>> Hi Team, >>>>> >>>>> This is with reference to bug CS-15151 >>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions >>>> and it would be great if you could share your knowledge and suggestions. >>>>> >>>> >>>> >>>> Why is that bug not publicly visible? >>> >>> Probably because it's highlighting a potential security hole. That seems >>> like a reasonable precaution for the reporter to have taken. >>> >>> Would you like to handle these some other way? >>> >>> Ewan. >>> >> >> That's a perfectly valid reason to keep it private, - though now the content >> of the bug has been publicly discussed, so one wonders at the continued >> utility of it being private. >> >> Perhaps it's a good time to segue to discussing how we wish to handle >> security bugs, and get that documented. >> >> --David > > Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
