cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: Query regarding where to store encryption keys
Date Sat, 23 Jun 2012 00:13:43 GMT
Concur on both. I've been in an appsec mode recently and sending people to the OWASP site so
that came to mind, but CVSS is better known. I mentioned CVE directly as "MITRE" might confuse
people, but probably not an issue. Wiki's been updated.

Any other feedback/thoughts are welcome…

John

On Jun 22, 2012, at 4:21 PM, Clement Chen wrote:

> Hi John,
> 
> It looks nice. Two comments:
> 
> 1. Regarding risk rating, it seems to me that CVSS (http://www.first.org/cvss) has wider
adoption than the "OWASP risk rating methodology". Every security vulnerability in the National
Vulnerability Database (http://nvd.nist.gov/) has a CVSS score.
> 2. It should be "Security team works with MITRE to  reserve a CVE identifier". MITRE
is the organization that manages CVE.
> 
> Thanks.
> 
> -Clement
> 
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co] 
> Sent: Thursday, June 21, 2012 7:26 PM
> To: cloudstack-dev@incubator.apache.org
> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
> Subject: Re: Query regarding where to store encryption keys
> 
> OK - draft up at http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure
> 
> I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress
that security is important and will contact will be responded to quickly.
> 
> Give feedback on the draft above - then let's talk next steps...I'd say we need a security
list, a php key behind it, a security notification page somewhere on the CS site, and I wouldn't'
mind seeing a twitter feed specifically for security announcements, as well...
> 
> John
> 
> On Jun 20, 2012, at 1:21 PM, Clement Chen wrote:
> 
>> We should set up a dedicated channel for security issues and handle security bugs
carefully.
>> 
>> Below are some of the examples:
>> 
>> Apache HTTP Server Project: 
>> http://httpd.apache.org/security_report.html
>> OpenStack: http://openstack.org/projects/openstack-security/
>> Eucalyptus: 
>> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures
>> 
>> -Clement		 
>> 
>> -----Original Message-----
>> From: David Nalley [mailto:david@gnsa.us]
>> Sent: Wednesday, June 20, 2012 12:59 PM
>> To: cloudstack-dev@incubator.apache.org
>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>> Subject: Re: Query regarding where to store encryption keys
>> 
>> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ewan.Mellor@eu.citrix.com> wrote:
>>>> -----Original Message-----
>>>> From: David Nalley [mailto:david@gnsa.us]
>>>> Sent: Wednesday, June 20, 2012 12:32 PM
>>>> To: cloudstack-dev@incubator.apache.org
>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>> Subject: Re: Query regarding where to store encryption keys
>>>> 
>>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati 
>>>> <vijayendra.bhamidipati@citrix.com> wrote:
>>>>> Hi Team,
>>>>> 
>>>>> This is with reference to bug CS-15151
>>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions 
>>>> and it would be great if you could share your knowledge and suggestions.
>>>>> 
>>>> 
>>>> 
>>>> Why is that bug not publicly visible?
>>> 
>>> Probably because it's highlighting a potential security hole.  That seems like
a reasonable precaution for the reporter to have taken.
>>> 
>>> Would you like to handle these some other way?
>>> 
>>> Ewan.
>>> 
>> 
>> That's a perfectly valid reason to keep it private, - though now the content of the
bug has been publicly discussed, so one wonders at the continued utility of it being private.
>> 
>> Perhaps it's a good time to segue to discussing how we wish to handle security bugs,
and get that documented.
>> 
>> --David
> 
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message