I just noticed bugs.cloudstack.org has a "Security Level" field, but no options availableā¦I'm guessing we want to put something there?
John On Jun 29, 2012, at 12:43 PM, John Kinsella wrote: > I think that list looks about right. I'm open to ideas on how to manage and > share that PGP key. My key can be found on the MIT key server, should be on > the PGP server soon. > > Updated URL for wiki page (I removed "draft") > http://wiki.cloudstack.org/display/COMM/Security+response+procedure > > John > > On Jun 29, 2012, at 12:05 PM, Clement Chen wrote: > >> A couple of action items: >> >> 1. Create an email address - secur...@cloudstack.org as the dedicated >> communication channel for security issues. >> 2. Create a PGP key for the above email address. >> 3. Create a webpage (for example, http://www.cloudstack.org/security) to >> publish the security policy John created and tell users how to report >> security issues to CloudStack. >> >> I can take care of 2. Not sure whom to contact for 1. and 3.? Should I file >> a ticket for them? >> >> Thanks. >> >> -Clement >> >> -----Original Message----- >> From: David Nalley [mailto:da...@gnsa.us] >> Sent: Friday, June 29, 2012 10:44 AM >> To: cloudstack-dev@incubator.apache.org >> Subject: Security Policy was: Query regarding where to store encryption keys >> >> I don't want to lose track of this conversation. I think John's proposal >> makes a lot of sense. What is actionable out of this? >> >> --David >> >> On Fri, Jun 22, 2012 at 8:13 PM, John Kinsella <j...@stratosec.co> wrote: >>> Concur on both. I've been in an appsec mode recently and sending people to >>> the OWASP site so that came to mind, but CVSS is better known. I mentioned >>> CVE directly as "MITRE" might confuse people, but probably not an issue. >>> Wiki's been updated. >>> >>> Any other feedback/thoughts are welcome. >>> >>> John >>> >>> On Jun 22, 2012, at 4:21 PM, Clement Chen wrote: >>> >>>> Hi John, >>>> >>>> It looks nice. Two comments: >>>> >>>> 1. Regarding risk rating, it seems to me that CVSS >>>> (http://www.first.org/cvss) has wider adoption than the "OWASP risk rating >>>> methodology". Every security vulnerability in the National Vulnerability >>>> Database (http://nvd.nist.gov/) has a CVSS score. >>>> 2. It should be "Security team works with MITRE to reserve a CVE >>>> identifier". MITRE is the organization that manages CVE. >>>> >>>> Thanks. >>>> >>>> -Clement >>>> >>>> -----Original Message----- >>>> From: John Kinsella [mailto:j...@stratosec.co] >>>> Sent: Thursday, June 21, 2012 7:26 PM >>>> To: cloudstack-dev@incubator.apache.org >>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>>> Subject: Re: Query regarding where to store encryption keys >>>> >>>> OK - draft up at >>>> http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+pr >>>> ocedure >>>> >>>> I think out of the 3 below, I like the OS and Eucalyptus pages the most, >>>> as the stress that security is important and will contact will be >>>> responded to quickly. >>>> >>>> Give feedback on the draft above - then let's talk next steps...I'd say we >>>> need a security list, a php key behind it, a security notification page >>>> somewhere on the CS site, and I wouldn't' mind seeing a twitter feed >>>> specifically for security announcements, as well... >>>> >>>> John >>>> >>>> On Jun 20, 2012, at 1:21 PM, Clement Chen wrote: >>>> >>>>> We should set up a dedicated channel for security issues and handle >>>>> security bugs carefully. >>>>> >>>>> Below are some of the examples: >>>>> >>>>> Apache HTTP Server Project: >>>>> http://httpd.apache.org/security_report.html >>>>> OpenStack: http://openstack.org/projects/openstack-security/ >>>>> Eucalyptus: >>>>> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures >>>>> >>>>> -Clement >>>>> >>>>> -----Original Message----- >>>>> From: David Nalley [mailto:da...@gnsa.us] >>>>> Sent: Wednesday, June 20, 2012 12:59 PM >>>>> To: cloudstack-dev@incubator.apache.org >>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>>>> Subject: Re: Query regarding where to store encryption keys >>>>> >>>>> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <ewan.mel...@eu.citrix.com> >>>>> wrote: >>>>>>> -----Original Message----- >>>>>>> From: David Nalley [mailto:da...@gnsa.us] >>>>>>> Sent: Wednesday, June 20, 2012 12:32 PM >>>>>>> To: cloudstack-dev@incubator.apache.org >>>>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >>>>>>> Subject: Re: Query regarding where to store encryption keys >>>>>>> >>>>>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati >>>>>>> <vijayendra.bhamidip...@citrix.com> wrote: >>>>>>>> Hi Team, >>>>>>>> >>>>>>>> This is with reference to bug CS-15151 >>>>>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some >>>>>>> questions and it would be great if you could share your knowledge and >>>>>>> suggestions. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> Why is that bug not publicly visible? >>>>>> >>>>>> Probably because it's highlighting a potential security hole. That >>>>>> seems like a reasonable precaution for the reporter to have taken. >>>>>> >>>>>> Would you like to handle these some other way? >>>>>> >>>>>> Ewan. >>>>>> >>>>> >>>>> That's a perfectly valid reason to keep it private, - though now the >>>>> content of the bug has been publicly discussed, so one wonders at the >>>>> continued utility of it being private. >>>>> >>>>> Perhaps it's a good time to segue to discussing how we wish to handle >>>>> security bugs, and get that documented. >>>>> >>>>> --David >>>> >>>> >>> >>> Stratosec - Secure Infrastructure as a Service >>> o: 415.315.9385 >>> @johnlkinsella >>> > > Stratosec - Secure Infrastructure as a Service > o: 415.315.9385 > @johnlkinsella > Stratosec - Secure Infrastructure as a Service o: 415.315.9385 @johnlkinsella
