I don't want to lose track of this conversation. I think John's proposal makes a lot of sense. What is actionable out of this?
--David On Fri, Jun 22, 2012 at 8:13 PM, John Kinsella <j...@stratosec.co> wrote: > Concur on both. I've been in an appsec mode recently and sending people to > the OWASP site so that came to mind, but CVSS is better known. I mentioned > CVE directly as "MITRE" might confuse people, but probably not an issue. > Wiki's been updated. > > Any other feedback/thoughts are welcome… > > John > > On Jun 22, 2012, at 4:21 PM, Clement Chen wrote: > >> Hi John, >> >> It looks nice. Two comments: >> >> 1. Regarding risk rating, it seems to me that CVSS >> (http://www.first.org/cvss) has wider adoption than the "OWASP risk rating >> methodology". Every security vulnerability in the National Vulnerability >> Database (http://nvd.nist.gov/) has a CVSS score. >> 2. It should be "Security team works with MITRE to reserve a CVE >> identifier". MITRE is the organization that manages CVE. >> >> Thanks. >> >> -Clement >> >> -----Original Message----- >> From: John Kinsella [mailto:j...@stratosec.co] >> Sent: Thursday, June 21, 2012 7:26 PM >> To: cloudstack-dev@incubator.apache.org >> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >> Subject: Re: Query regarding where to store encryption keys >> >> OK - draft up at >> http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure >> >> I think out of the 3 below, I like the OS and Eucalyptus pages the most, as >> the stress that security is important and will contact will be responded to >> quickly. >> >> Give feedback on the draft above - then let's talk next steps...I'd say we >> need a security list, a php key behind it, a security notification page >> somewhere on the CS site, and I wouldn't' mind seeing a twitter feed >> specifically for security announcements, as well... >> >> John >> >> On Jun 20, 2012, at 1:21 PM, Clement Chen wrote: >> >>> We should set up a dedicated channel for security issues and handle >>> security bugs carefully. >>> >>> Below are some of the examples: >>> >>> Apache HTTP Server Project: >>> http://httpd.apache.org/security_report.html >>> OpenStack: http://openstack.org/projects/openstack-security/ >>> Eucalyptus: >>> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures >>> >>> -Clement >>> >>> -----Original Message----- >>> From: David Nalley [mailto:da...@gnsa.us] >>> Sent: Wednesday, June 20, 2012 12:59 PM >>> To: cloudstack-dev@incubator.apache.org >>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>> Subject: Re: Query regarding where to store encryption keys >>> >>> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <ewan.mel...@eu.citrix.com> >>> wrote: >>>>> -----Original Message----- >>>>> From: David Nalley [mailto:da...@gnsa.us] >>>>> Sent: Wednesday, June 20, 2012 12:32 PM >>>>> To: cloudstack-dev@incubator.apache.org >>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>>>> Subject: Re: Query regarding where to store encryption keys >>>>> >>>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati >>>>> <vijayendra.bhamidip...@citrix.com> wrote: >>>>>> Hi Team, >>>>>> >>>>>> This is with reference to bug CS-15151 >>>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions >>>>> and it would be great if you could share your knowledge and suggestions. >>>>>> >>>>> >>>>> >>>>> Why is that bug not publicly visible? >>>> >>>> Probably because it's highlighting a potential security hole. That seems >>>> like a reasonable precaution for the reporter to have taken. >>>> >>>> Would you like to handle these some other way? >>>> >>>> Ewan. >>>> >>> >>> That's a perfectly valid reason to keep it private, - though now the >>> content of the bug has been publicly discussed, so one wonders at the >>> continued utility of it being private. >>> >>> Perhaps it's a good time to segue to discussing how we wish to handle >>> security bugs, and get that documented. >>> >>> --David >> >> > > Stratosec - Secure Infrastructure as a Service > o: 415.315.9385 > @johnlkinsella >
