You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@cassandra.apache.org by oleg yusim <ol...@gmail.com> on 2016/02/11 21:29:25 UTC

Security assessment of Cassandra

Greetings,

Performing security assessment of Cassandra with the goal of generating
STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across some
questions regarding the way certain security features are implemented (or
not) in Cassandra.

I composed the list of questions on these topics, which I wasn't able to
find definitive answer to anywhere else and posted it here:

https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM

It is shared with all the members of that list, and any of the members of
this list is welcome to comment on this document (there is a place for
community comments specially reserved near each of the questions and my
take on it).

I would greatly appreciate Cassandra community help here.

Thanks,

Oleg

Re: Security assessment of Cassandra

Posted by Jack Krupansky <ja...@gmail.com>.

Just following up... Oleg, have you gotten a satisfactory level of feedback
from the community on the security assessment issues?

And if there is any sort of final assessment that can be publicly accessed,
that would be great.

-- Jack Krupansky

On Thu, Feb 11, 2016 at 3:29 PM, oleg yusim <ol...@gmail.com> wrote:

> Greetings,
>
> Performing security assessment of Cassandra with the goal of generating
> STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across some
> questions regarding the way certain security features are implemented (or
> not) in Cassandra.
>
> I composed the list of questions on these topics, which I wasn't able to
> find definitive answer to anywhere else and posted it here:
>
> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM
>
> It is shared with all the members of that list, and any of the members of
> this list is welcome to comment on this document (there is a place for
> community comments specially reserved near each of the questions and my
> take on it).
>
> I would greatly appreciate Cassandra community help here.
>
> Thanks,
>
> Oleg
>

Re: Security assessment of Cassandra

Posted by oleg yusim <ol...@gmail.com>.

Greetings,

Matt brought to my attention that I shared the document at "view only"
mode. My apologies for that. I corrected permissions and shared the
document personally with everybody, who indicated he/she would review it.

Thanks,

Oleg

On Fri, Feb 12, 2016 at 10:33 PM, oleg yusim <ol...@gmail.com> wrote:

> Greetings,
>
> Following Jack's and Matt's suggestions, I moved the doc to Google Docs
> and added to it all the security gaps in Cassandra I was able to discover
> (please, see second table below fist).
>
> Here is an updated link to my document:
>
>
> https://docs.google.com/document/d/13-yu-1a0MMkBiJFPNkYoTd1Hzed9tgKltWi6hFLZbsk/edit?usp=sharing
>
> Thanks,
>
> Oleg
>
> On Thu, Feb 11, 2016 at 2:29 PM, oleg yusim <ol...@gmail.com> wrote:
>
>> Greetings,
>>
>> Performing security assessment of Cassandra with the goal of generating
>> STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across
>> some questions regarding the way certain security features are implemented
>> (or not) in Cassandra.
>>
>> I composed the list of questions on these topics, which I wasn't able to
>> find definitive answer to anywhere else and posted it here:
>>
>> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM
>>
>> It is shared with all the members of that list, and any of the members of
>> this list is welcome to comment on this document (there is a place for
>> community comments specially reserved near each of the questions and my
>> take on it).
>>
>> I would greatly appreciate Cassandra community help here.
>>
>> Thanks,
>>
>> Oleg
>>
>
>

Re: Security assessment of Cassandra

Posted by oleg yusim <ol...@gmail.com>.

Greetings,

Following Jack's and Matt's suggestions, I moved the doc to Google Docs and
added to it all the security gaps in Cassandra I was able to discover
(please, see second table below fist).

Here is an updated link to my document:

https://docs.google.com/document/d/13-yu-1a0MMkBiJFPNkYoTd1Hzed9tgKltWi6hFLZbsk/edit?usp=sharing

Thanks,

Oleg

On Thu, Feb 11, 2016 at 2:29 PM, oleg yusim <ol...@gmail.com> wrote:

> Greetings,
>
> Performing security assessment of Cassandra with the goal of generating
> STIG for Cassandra (iase.disa.mil/stigs/Pages/a-z.aspx) I ran across some
> questions regarding the way certain security features are implemented (or
> not) in Cassandra.
>
> I composed the list of questions on these topics, which I wasn't able to
> find definitive answer to anywhere else and posted it here:
>
> https://drive.google.com/open?id=0B2L9nW4Cyj41YWd1UkI4ZXVPYmM
>
> It is shared with all the members of that list, and any of the members of
> this list is welcome to comment on this document (there is a place for
> community comments specially reserved near each of the questions and my
> take on it).
>
> I would greatly appreciate Cassandra community help here.
>
> Thanks,
>
> Oleg
>