incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clement Chen <clement.c...@citrix.com>
Subject RE: Security Policy was: Query regarding where to store encryption keys
Date Fri, 29 Jun 2012 19:05:35 GMT
A couple of action items:

1. Create an email address - security@cloudstack.org as the dedicated communication channel
for security issues.
2. Create a PGP key for the above email address.
3. Create a webpage (for example, http://www.cloudstack.org/security) to publish the security
policy John created and tell users how to report security issues to CloudStack.

I can take care of 2. Not sure whom to contact for 1. and 3.? Should I file a ticket for them?

Thanks.

-Clement

-----Original Message-----
From: David Nalley [mailto:david@gnsa.us] 
Sent: Friday, June 29, 2012 10:44 AM
To: cloudstack-dev@incubator.apache.org
Subject: Security Policy was: Query regarding where to store encryption keys

I don't want to lose track of this conversation. I think John's proposal makes a lot of sense.
What is actionable out of this?

--David

On Fri, Jun 22, 2012 at 8:13 PM, John Kinsella <jlk@stratosec.co> wrote:
> Concur on both. I've been in an appsec mode recently and sending people to the OWASP
site so that came to mind, but CVSS is better known. I mentioned CVE directly as "MITRE" might
confuse people, but probably not an issue. Wiki's been updated.
>
> Any other feedback/thoughts are welcome.
>
> John
>
> On Jun 22, 2012, at 4:21 PM, Clement Chen wrote:
>
>> Hi John,
>>
>> It looks nice. Two comments:
>>
>> 1. Regarding risk rating, it seems to me that CVSS (http://www.first.org/cvss) has
wider adoption than the "OWASP risk rating methodology". Every security vulnerability in the
National Vulnerability Database (http://nvd.nist.gov/) has a CVSS score.
>> 2. It should be "Security team works with MITRE to  reserve a CVE identifier". MITRE
is the organization that manages CVE.
>>
>> Thanks.
>>
>> -Clement
>>
>> -----Original Message-----
>> From: John Kinsella [mailto:jlk@stratosec.co]
>> Sent: Thursday, June 21, 2012 7:26 PM
>> To: cloudstack-dev@incubator.apache.org
>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>> Subject: Re: Query regarding where to store encryption keys
>>
>> OK - draft up at 
>> http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+pr
>> ocedure
>>
>> I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress
that security is important and will contact will be responded to quickly.
>>
>> Give feedback on the draft above - then let's talk next steps...I'd say we need a
security list, a php key behind it, a security notification page somewhere on the CS site,
and I wouldn't' mind seeing a twitter feed specifically for security announcements, as well...
>>
>> John
>>
>> On Jun 20, 2012, at 1:21 PM, Clement Chen wrote:
>>
>>> We should set up a dedicated channel for security issues and handle security
bugs carefully.
>>>
>>> Below are some of the examples:
>>>
>>> Apache HTTP Server Project:
>>> http://httpd.apache.org/security_report.html
>>> OpenStack: http://openstack.org/projects/openstack-security/
>>> Eucalyptus:
>>> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures
>>>
>>> -Clement
>>>
>>> -----Original Message-----
>>> From: David Nalley [mailto:david@gnsa.us]
>>> Sent: Wednesday, June 20, 2012 12:59 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>> Subject: Re: Query regarding where to store encryption keys
>>>
>>> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ewan.Mellor@eu.citrix.com>
wrote:
>>>>> -----Original Message-----
>>>>> From: David Nalley [mailto:david@gnsa.us]
>>>>> Sent: Wednesday, June 20, 2012 12:32 PM
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>>> Subject: Re: Query regarding where to store encryption keys
>>>>>
>>>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati 
>>>>> <vijayendra.bhamidipati@citrix.com> wrote:
>>>>>> Hi Team,
>>>>>>
>>>>>> This is with reference to bug CS-15151
>>>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some 
>>>>> questions and it would be great if you could share your knowledge and
suggestions.
>>>>>>
>>>>>
>>>>>
>>>>> Why is that bug not publicly visible?
>>>>
>>>> Probably because it's highlighting a potential security hole.  That seems
like a reasonable precaution for the reporter to have taken.
>>>>
>>>> Would you like to handle these some other way?
>>>>
>>>> Ewan.
>>>>
>>>
>>> That's a perfectly valid reason to keep it private, - though now the content
of the bug has been publicly discussed, so one wonders at the continued utility of it being
private.
>>>
>>> Perhaps it's a good time to segue to discussing how we wish to handle security
bugs, and get that documented.
>>>
>>> --David
>>
>>
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>

Mime
View raw message