incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: Security Policy was: Query regarding where to store encryption keys
Date Sun, 01 Jul 2012 22:28:26 GMT
I just noticed bugs.cloudstack.org has a "Security Level" field, but no options availableā€¦I'm
guessing we want to put something there?

John

On Jun 29, 2012, at 12:43 PM, John Kinsella wrote:

> I think that list looks about right. I'm open to ideas on how to manage and share that
PGP key. My key can be found on the MIT key server, should be on the PGP server soon.
> 
> Updated URL for wiki page (I removed "draft") http://wiki.cloudstack.org/display/COMM/Security+response+procedure
> 
> John
> 
> On Jun 29, 2012, at 12:05 PM, Clement Chen wrote:
> 
>> A couple of action items:
>> 
>> 1. Create an email address - security@cloudstack.org as the dedicated communication
channel for security issues.
>> 2. Create a PGP key for the above email address.
>> 3. Create a webpage (for example, http://www.cloudstack.org/security) to publish
the security policy John created and tell users how to report security issues to CloudStack.
>> 
>> I can take care of 2. Not sure whom to contact for 1. and 3.? Should I file a ticket
for them?
>> 
>> Thanks.
>> 
>> -Clement
>> 
>> -----Original Message-----
>> From: David Nalley [mailto:david@gnsa.us] 
>> Sent: Friday, June 29, 2012 10:44 AM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Security Policy was: Query regarding where to store encryption keys
>> 
>> I don't want to lose track of this conversation. I think John's proposal makes a
lot of sense. What is actionable out of this?
>> 
>> --David
>> 
>> On Fri, Jun 22, 2012 at 8:13 PM, John Kinsella <jlk@stratosec.co> wrote:
>>> Concur on both. I've been in an appsec mode recently and sending people to the
OWASP site so that came to mind, but CVSS is better known. I mentioned CVE directly as "MITRE"
might confuse people, but probably not an issue. Wiki's been updated.
>>> 
>>> Any other feedback/thoughts are welcome.
>>> 
>>> John
>>> 
>>> On Jun 22, 2012, at 4:21 PM, Clement Chen wrote:
>>> 
>>>> Hi John,
>>>> 
>>>> It looks nice. Two comments:
>>>> 
>>>> 1. Regarding risk rating, it seems to me that CVSS (http://www.first.org/cvss)
has wider adoption than the "OWASP risk rating methodology". Every security vulnerability
in the National Vulnerability Database (http://nvd.nist.gov/) has a CVSS score.
>>>> 2. It should be "Security team works with MITRE to  reserve a CVE identifier".
MITRE is the organization that manages CVE.
>>>> 
>>>> Thanks.
>>>> 
>>>> -Clement
>>>> 
>>>> -----Original Message-----
>>>> From: John Kinsella [mailto:jlk@stratosec.co]
>>>> Sent: Thursday, June 21, 2012 7:26 PM
>>>> To: cloudstack-dev@incubator.apache.org
>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>> Subject: Re: Query regarding where to store encryption keys
>>>> 
>>>> OK - draft up at 
>>>> http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+pr
>>>> ocedure
>>>> 
>>>> I think out of the 3 below, I like the OS and Eucalyptus pages the most,
as the stress that security is important and will contact will be responded to quickly.
>>>> 
>>>> Give feedback on the draft above - then let's talk next steps...I'd say we
need a security list, a php key behind it, a security notification page somewhere on the CS
site, and I wouldn't' mind seeing a twitter feed specifically for security announcements,
as well...
>>>> 
>>>> John
>>>> 
>>>> On Jun 20, 2012, at 1:21 PM, Clement Chen wrote:
>>>> 
>>>>> We should set up a dedicated channel for security issues and handle security
bugs carefully.
>>>>> 
>>>>> Below are some of the examples:
>>>>> 
>>>>> Apache HTTP Server Project:
>>>>> http://httpd.apache.org/security_report.html
>>>>> OpenStack: http://openstack.org/projects/openstack-security/
>>>>> Eucalyptus:
>>>>> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures
>>>>> 
>>>>> -Clement
>>>>> 
>>>>> -----Original Message-----
>>>>> From: David Nalley [mailto:david@gnsa.us]
>>>>> Sent: Wednesday, June 20, 2012 12:59 PM
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>>> Subject: Re: Query regarding where to store encryption keys
>>>>> 
>>>>> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ewan.Mellor@eu.citrix.com>
wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: David Nalley [mailto:david@gnsa.us]
>>>>>>> Sent: Wednesday, June 20, 2012 12:32 PM
>>>>>>> To: cloudstack-dev@incubator.apache.org
>>>>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>>>>> Subject: Re: Query regarding where to store encryption keys
>>>>>>> 
>>>>>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati 
>>>>>>> <vijayendra.bhamidipati@citrix.com> wrote:
>>>>>>>> Hi Team,
>>>>>>>> 
>>>>>>>> This is with reference to bug CS-15151
>>>>>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some 
>>>>>>> questions and it would be great if you could share your knowledge
and suggestions.
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Why is that bug not publicly visible?
>>>>>> 
>>>>>> Probably because it's highlighting a potential security hole.  That
seems like a reasonable precaution for the reporter to have taken.
>>>>>> 
>>>>>> Would you like to handle these some other way?
>>>>>> 
>>>>>> Ewan.
>>>>>> 
>>>>> 
>>>>> That's a perfectly valid reason to keep it private, - though now the
content of the bug has been publicly discussed, so one wonders at the continued utility of
it being private.
>>>>> 
>>>>> Perhaps it's a good time to segue to discussing how we wish to handle
security bugs, and get that documented.
>>>>> 
>>>>> --David
>>>> 
>>>> 
>>> 
>>> Stratosec - Secure Infrastructure as a Service
>>> o: 415.315.9385
>>> @johnlkinsella
>>> 
> 
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message