incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Nalley <da...@gnsa.us>
Subject Security Policy was: Query regarding where to store encryption keys
Date Fri, 29 Jun 2012 17:44:24 GMT
I don't want to lose track of this conversation. I think John's
proposal makes a lot of sense. What is actionable out of this?

--David

On Fri, Jun 22, 2012 at 8:13 PM, John Kinsella <jlk@stratosec.co> wrote:
> Concur on both. I've been in an appsec mode recently and sending people to the OWASP
site so that came to mind, but CVSS is better known. I mentioned CVE directly as "MITRE" might
confuse people, but probably not an issue. Wiki's been updated.
>
> Any other feedback/thoughts are welcome…
>
> John
>
> On Jun 22, 2012, at 4:21 PM, Clement Chen wrote:
>
>> Hi John,
>>
>> It looks nice. Two comments:
>>
>> 1. Regarding risk rating, it seems to me that CVSS (http://www.first.org/cvss) has
wider adoption than the "OWASP risk rating methodology". Every security vulnerability in the
National Vulnerability Database (http://nvd.nist.gov/) has a CVSS score.
>> 2. It should be "Security team works with MITRE to  reserve a CVE identifier". MITRE
is the organization that manages CVE.
>>
>> Thanks.
>>
>> -Clement
>>
>> -----Original Message-----
>> From: John Kinsella [mailto:jlk@stratosec.co]
>> Sent: Thursday, June 21, 2012 7:26 PM
>> To: cloudstack-dev@incubator.apache.org
>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>> Subject: Re: Query regarding where to store encryption keys
>>
>> OK - draft up at http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure
>>
>> I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress
that security is important and will contact will be responded to quickly.
>>
>> Give feedback on the draft above - then let's talk next steps...I'd say we need a
security list, a php key behind it, a security notification page somewhere on the CS site,
and I wouldn't' mind seeing a twitter feed specifically for security announcements, as well...
>>
>> John
>>
>> On Jun 20, 2012, at 1:21 PM, Clement Chen wrote:
>>
>>> We should set up a dedicated channel for security issues and handle security
bugs carefully.
>>>
>>> Below are some of the examples:
>>>
>>> Apache HTTP Server Project:
>>> http://httpd.apache.org/security_report.html
>>> OpenStack: http://openstack.org/projects/openstack-security/
>>> Eucalyptus:
>>> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures
>>>
>>> -Clement
>>>
>>> -----Original Message-----
>>> From: David Nalley [mailto:david@gnsa.us]
>>> Sent: Wednesday, June 20, 2012 12:59 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>> Subject: Re: Query regarding where to store encryption keys
>>>
>>> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ewan.Mellor@eu.citrix.com>
wrote:
>>>>> -----Original Message-----
>>>>> From: David Nalley [mailto:david@gnsa.us]
>>>>> Sent: Wednesday, June 20, 2012 12:32 PM
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>>> Subject: Re: Query regarding where to store encryption keys
>>>>>
>>>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati
>>>>> <vijayendra.bhamidipati@citrix.com> wrote:
>>>>>> Hi Team,
>>>>>>
>>>>>> This is with reference to bug CS-15151
>>>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions
>>>>> and it would be great if you could share your knowledge and suggestions.
>>>>>>
>>>>>
>>>>>
>>>>> Why is that bug not publicly visible?
>>>>
>>>> Probably because it's highlighting a potential security hole.  That seems
like a reasonable precaution for the reporter to have taken.
>>>>
>>>> Would you like to handle these some other way?
>>>>
>>>> Ewan.
>>>>
>>>
>>> That's a perfectly valid reason to keep it private, - though now the content
of the bug has been publicly discussed, so one wonders at the continued utility of it being
private.
>>>
>>> Perhaps it's a good time to segue to discussing how we wish to handle security
bugs, and get that documented.
>>>
>>> --David
>>
>>
>
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
>

Mime
View raw message