incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clement Chen <clement.c...@citrix.com>
Subject RE: Query regarding where to store encryption keys
Date Fri, 22 Jun 2012 23:21:46 GMT
Hi John,

It looks nice. Two comments:

1. Regarding risk rating, it seems to me that CVSS (http://www.first.org/cvss) has wider adoption
than the "OWASP risk rating methodology". Every security vulnerability in the National Vulnerability
Database (http://nvd.nist.gov/) has a CVSS score.
2. It should be "Security team works with MITRE to  reserve a CVE identifier". MITRE is the
organization that manages CVE.

Thanks.

-Clement

-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co] 
Sent: Thursday, June 21, 2012 7:26 PM
To: cloudstack-dev@incubator.apache.org
Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
Subject: Re: Query regarding where to store encryption keys

OK - draft up at http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure

I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress that
security is important and will contact will be responded to quickly.

Give feedback on the draft above - then let's talk next steps...I'd say we need a security
list, a php key behind it, a security notification page somewhere on the CS site, and I wouldn't'
mind seeing a twitter feed specifically for security announcements, as well...

John

On Jun 20, 2012, at 1:21 PM, Clement Chen wrote:

> We should set up a dedicated channel for security issues and handle security bugs carefully.
> 
> Below are some of the examples:
> 
> Apache HTTP Server Project: 
> http://httpd.apache.org/security_report.html
> OpenStack: http://openstack.org/projects/openstack-security/
> Eucalyptus: 
> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures
> 
> -Clement		 
> 
> -----Original Message-----
> From: David Nalley [mailto:david@gnsa.us]
> Sent: Wednesday, June 20, 2012 12:59 PM
> To: cloudstack-dev@incubator.apache.org
> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
> Subject: Re: Query regarding where to store encryption keys
> 
> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ewan.Mellor@eu.citrix.com> wrote:
>>> -----Original Message-----
>>> From: David Nalley [mailto:david@gnsa.us]
>>> Sent: Wednesday, June 20, 2012 12:32 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>> Subject: Re: Query regarding where to store encryption keys
>>> 
>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati 
>>> <vijayendra.bhamidipati@citrix.com> wrote:
>>>> Hi Team,
>>>> 
>>>> This is with reference to bug CS-15151
>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions 
>>> and it would be great if you could share your knowledge and suggestions.
>>>> 
>>> 
>>> 
>>> Why is that bug not publicly visible?
>> 
>> Probably because it's highlighting a potential security hole.  That seems like a
reasonable precaution for the reporter to have taken.
>> 
>> Would you like to handle these some other way?
>> 
>> Ewan.
>> 
> 
> That's a perfectly valid reason to keep it private, - though now the content of the bug
has been publicly discussed, so one wonders at the continued utility of it being private.
> 
> Perhaps it's a good time to segue to discussing how we wish to handle security bugs,
and get that documented.
> 
> --David



Mime
View raw message