You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openwhisk.apache.org by Matt Rutkowski <mr...@us.ibm.com> on 2019/03/20 16:54:18 UTC
Added a "Security" page to website with simple, OW-specific instructions
for vuln. reporting
While filling out the Maturity Model, I noted that several questions were
asked around our community's seriousness in addressing user security
issues/reporting. However, our website (footer) had a "security" link
that simply sent you to a general Apache site which has you contact the
"Apache security team" which really has no ties (or even process) to
connect it back to the OpenWhisk (or any Incubator) project.
I found a nicer approach taken by a recently grad. project which I liked
which was to provide a more personal page from our website to display on
clicking the "security" link on any footer. It instructs the user to
submit suspected vuln. issues directly to the PMC private email list
(which is the desired process) and hopefully gets the immediate attention
of our PMC whose members can quickly investigate and instigate the
internal Apache processes as needed.
Priti kindly reviewed/merged the new page for me and you can find it here:
https://openwhisk.apache.org/security.html
Please comment if you feel anything needs to be added, but this actually
is complete and succinct IMO.
Kind regards,
Matt
Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting
Posted by Carlos Santana <cs...@gmail.com>.
Yep that’s why I said let’s use the already 2 mailing lists security@apache.org and private@openwhisk.org
Let’s not create a 3rd
- Carlos Santana
@csantanapr
> On Mar 21, 2019, at 8:54 AM, Matt Sicker <bo...@gmail.com> wrote:
>
> Security mailing lists should also be private and only accessible to PMC
> members (and ASF members).
>
>> On Thu, Mar 21, 2019 at 04:03, Carlos Santana <cs...@gmail.com> wrote:
>>
>> That’s fine to have a page and security mailing list.
>>
>> Who is from the PPMC is going to monitor the security@ mailing list?
>>
>> I’m already subscribe to private@
>>
>> I would not want sensitive topics and reports to be discuss in this
>> security ML is people anyone is allowed to be subscribe.
>>
>> The ASF process still need to be followed anyway and any reports we would
>> need to loop in security@apache.org anyway
>>
>> I bet people would email by mistake security@openwhisk.apache.org with
>> sensitive data when they should have use security@apache.org and also bet
>> we will be explaining multiple time when to use each ML list.
>>
>> I we have such ML list I certainly will not be using it or subscribing and
>> expect any serious reports and findings to find their way to private@
>>
>> Is their are users that security questions on how to do something or
>> someone sharing best practice for security they can certainly use the dev@
>> list we have today
>>
>> +1 to have a security page
>> -1 to have yet another ML list security@openwhisk.apache.org
>>
>> - Carlos Santana
>> @csantanapr
>>
>>> On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz <bd...@apache.org>
>> wrote:
>>>
>>> Hi,
>>>
>>>> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <cs...@gmail.com>
>> wrote:
>>>> For security reports, ASF already have a process let's not improvise..
>>>
>>> Agreed but it's fine for projects to have their own security page, as
>>> long as the ASF process is followed.
>>>
>>>> ... Reported should send email to security@apache.org ...
>>>
>>> It's also ok for projects to have their own security@ list, see
>>> https://sling.apache.org/project-information/security.html for an
>>> example.
>>>
>>> -Bertrand
>>
> --
> Matt Sicker <bo...@gmail.com>
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Matt Sicker <bo...@gmail.com>.
Security mailing lists should also be private and only accessible to PMC
members (and ASF members).
On Thu, Mar 21, 2019 at 04:03, Carlos Santana <cs...@gmail.com> wrote:
> That’s fine to have a page and security mailing list.
>
> Who is from the PPMC is going to monitor the security@ mailing list?
>
> I’m already subscribe to private@
>
> I would not want sensitive topics and reports to be discuss in this
> security ML is people anyone is allowed to be subscribe.
>
> The ASF process still need to be followed anyway and any reports we would
> need to loop in security@apache.org anyway
>
> I bet people would email by mistake security@openwhisk.apache.org with
> sensitive data when they should have use security@apache.org and also bet
> we will be explaining multiple time when to use each ML list.
>
> I we have such ML list I certainly will not be using it or subscribing and
> expect any serious reports and findings to find their way to private@
>
> Is their are users that security questions on how to do something or
> someone sharing best practice for security they can certainly use the dev@
> list we have today
>
> +1 to have a security page
> -1 to have yet another ML list security@openwhisk.apache.org
>
> - Carlos Santana
> @csantanapr
>
> > On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz <bd...@apache.org>
> wrote:
> >
> > Hi,
> >
> >> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <cs...@gmail.com>
> wrote:
> >> For security reports, ASF already have a process let's not improvise..
> >
> > Agreed but it's fine for projects to have their own security page, as
> > long as the ASF process is followed.
> >
> >> ... Reported should send email to security@apache.org ...
> >
> > It's also ok for projects to have their own security@ list, see
> > https://sling.apache.org/project-information/security.html for an
> > example.
> >
> > -Bertrand
>
--
Matt Sicker <bo...@gmail.com>
Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting
Posted by Carlos Santana <cs...@gmail.com>.
It can exist
Please let’s not create it
- Carlos Santana
@csantanapr
> On Mar 21, 2019, at 8:58 AM, Bertrand Delacretaz <bd...@apache.org> wrote:
>
> Hi,
>
>> On Thu, Mar 21, 2019 at 10:03 AM Carlos Santana <cs...@gmail.com> wrote:
>> ...
>> -1 to have yet another ML list security@openwhisk.apache.org ...
>
> FWIW I was not saying that that list should exist, just that it *can*
> exist if desired.
>
> -Bertrand
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Thu, Mar 21, 2019 at 10:03 AM Carlos Santana <cs...@gmail.com> wrote:
...
> -1 to have yet another ML list security@openwhisk.apache.org ...
FWIW I was not saying that that list should exist, just that it *can*
exist if desired.
-Bertrand
Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting
Posted by Carlos Santana <cs...@gmail.com>.
That’s fine to have a page and security mailing list.
Who is from the PPMC is going to monitor the security@ mailing list?
I’m already subscribe to private@
I would not want sensitive topics and reports to be discuss in this security ML is people anyone is allowed to be subscribe.
The ASF process still need to be followed anyway and any reports we would need to loop in security@apache.org anyway
I bet people would email by mistake security@openwhisk.apache.org with sensitive data when they should have use security@apache.org and also bet we will be explaining multiple time when to use each ML list.
I we have such ML list I certainly will not be using it or subscribing and expect any serious reports and findings to find their way to private@
Is their are users that security questions on how to do something or someone sharing best practice for security they can certainly use the dev@ list we have today
+1 to have a security page
-1 to have yet another ML list security@openwhisk.apache.org
- Carlos Santana
@csantanapr
> On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz <bd...@apache.org> wrote:
>
> Hi,
>
>> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <cs...@gmail.com> wrote:
>> For security reports, ASF already have a process let's not improvise..
>
> Agreed but it's fine for projects to have their own security page, as
> long as the ASF process is followed.
>
>> ... Reported should send email to security@apache.org ...
>
> It's also ok for projects to have their own security@ list, see
> https://sling.apache.org/project-information/security.html for an
> example.
>
> -Bertrand
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana <cs...@gmail.com> wrote:
> For security reports, ASF already have a process let's not improvise..
Agreed but it's fine for projects to have their own security page, as
long as the ASF process is followed.
>... Reported should send email to security@apache.org ...
It's also ok for projects to have their own security@ list, see
https://sling.apache.org/project-information/security.html for an
example.
-Bertrand
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Carlos Santana <cs...@gmail.com>.
For security reports, ASF already have a process let's not improvise
Reported should send email to security@apache.org
The process explains how to handle artifacts to reproduce the vulnerability
Security will inform the PMC private list and forward the email
--cs
On Wed, Mar 20, 2019 at 3:09 PM Matt Sicker <bo...@gmail.com> wrote:
> On Wed, 20 Mar 2019 at 12:52, Rodric Rabbah <ro...@gmail.com> wrote:
> >
> > We went through a case last year where a company reported a vulnerability
> > to us through security@a.o and we cc'ed them on all the communications.
> I
> > think that worked well. Are you suggesting we have our own project
> security
> > mailing list that goes to both our private list and security@a.o?
>
> Essentially, yes. This is more of a concern with larger projects (like
> this one) which are more likely to have to deal with security issues
> more often. It's essentially a way to segregate security traffic into
> its own mailing list rather than using up private@ for everything
> (which can get confusing depending on how much activity there is).
>
>
> --
> Matt Sicker <bo...@gmail.com>
>
--
Carlos Santana
<cs...@gmail.com>
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Matt Sicker <bo...@gmail.com>.
On Wed, 20 Mar 2019 at 12:52, Rodric Rabbah <ro...@gmail.com> wrote:
>
> We went through a case last year where a company reported a vulnerability
> to us through security@a.o and we cc'ed them on all the communications. I
> think that worked well. Are you suggesting we have our own project security
> mailing list that goes to both our private list and security@a.o?
Essentially, yes. This is more of a concern with larger projects (like
this one) which are more likely to have to deal with security issues
more often. It's essentially a way to segregate security traffic into
its own mailing list rather than using up private@ for everything
(which can get confusing depending on how much activity there is).
--
Matt Sicker <bo...@gmail.com>
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Fri, Mar 22, 2019 at 3:37 PM Matt Rutkowski <mr...@us.ibm.com> wrote:
> ...Changed it yesterday to use the gen. ASF security email ...
Thanks! https://openwhisk.apache.org/security.html and
https://openwhisk.apache.org/ includes a "security" link at the bottom
which is good.
-Bertrand
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Matt Rutkowski <mr...@us.ibm.com>.
Changed it yesterday to use the gen. ASF security email ... and yes I was
following completed maturity models for graduated projects that used
private...
From: Bertrand Delacretaz <bd...@apache.org>
To: OpenWhisk Dev <de...@openwhisk.apache.org>
Date: 03/21/2019 08:14 AM
Subject: Re: Added a "Security" page to website with simple,
OW-specific instructions for vuln. reporting
Hi,
On Wed, Mar 20, 2019 at 7:21 PM Matt Rutkowski <mr...@us.ibm.com>
wrote:
>
> ...As indicated, they are directed to use our private (PMC) email list
as
> they should do by Apache process... having the new page makes this very
> clear...
Did you find ASF instructions to use private@ for security reports?
I think the recommendation is to either use security@apache.org or a
project-specific security@ list - if you look at
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.apache.org_security_projects.html&d=DwIBaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=6zQLM7Gc0Sv1iwayKOKa4_SFxRIxS478q2gZlAJj4Zw&m=0R6F5Oxle2Ld9jyg48c26gsQ-46GIAl9Nzx2vKG_GLo&s=OKi7G5IbujZg_fen417awjeHIKacw1qsdC823tLV8dw&e=
all addresses are
security@
The goal is for the ASF security team to have an overview on security
reports, to be able to take action if a PMC becomes unresponsive. I
*think* security@ lists are handled in a way that provides that
oversight, but private@ lists are not.
At this point my recommendation is to use security@apache.org until a
project-specific security@ list is needed, if volume increases for
example.
-Bertrand
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Wed, Mar 20, 2019 at 7:21 PM Matt Rutkowski <mr...@us.ibm.com> wrote:
>
> ...As indicated, they are directed to use our private (PMC) email list as
> they should do by Apache process... having the new page makes this very
> clear...
Did you find ASF instructions to use private@ for security reports?
I think the recommendation is to either use security@apache.org or a
project-specific security@ list - if you look at
http://www.apache.org/security/projects.html all addresses are
security@
The goal is for the ASF security team to have an overview on security
reports, to be able to take action if a PMC becomes unresponsive. I
*think* security@ lists are handled in a way that provides that
oversight, but private@ lists are not.
At this point my recommendation is to use security@apache.org until a
project-specific security@ list is needed, if volume increases for
example.
-Bertrand
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Matt Rutkowski <mr...@us.ibm.com>.
As indicated, they are directed to use our private (PMC) email list as
they should do by Apache process... having the new page makes this very
clear...
ASF encourages the use of a PMCs private list, but also provides a
security email list for full projects... as we are an Incubator we do not
get one and clearly reading the page we pointed to previously (and still
link to) we are NOT included which would cause users issues decided
how/where to begin. What I have added is correct and consistent with
other projects.
From: Rodric Rabbah <ro...@gmail.com>
To: dev@openwhisk.apache.org
Date: 03/20/2019 12:52 PM
Subject: Re: Added a "Security" page to website with simple,
OW-specific instructions for vuln. reporting
We went through a case last year where a company reported a vulnerability
to us through security@a.o and we cc'ed them on all the communications. I
think that worked well. Are you suggesting we have our own project
security
mailing list that goes to both our private list and security@a.o?
-r
On Wed, Mar 20, 2019 at 1:33 PM Matt Sicker <bo...@gmail.com> wrote:
> I'm not exactly sure on the process, but I think it's important to use
> a security-specific mailing list for tracking purposes. If the reports
> don't filter through security@apache.org, it makes sense to make a
> dedicated security@ mailing list for the project.
>
> On Wed, 20 Mar 2019 at 11:57, Rodric Rabbah <ro...@gmail.com> wrote:
> >
> > Looks good to me - thanks Matt.
> >
> > -r
>
>
>
> --
> Matt Sicker <bo...@gmail.com>
>
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Rodric Rabbah <ro...@gmail.com>.
We went through a case last year where a company reported a vulnerability
to us through security@a.o and we cc'ed them on all the communications. I
think that worked well. Are you suggesting we have our own project security
mailing list that goes to both our private list and security@a.o?
-r
On Wed, Mar 20, 2019 at 1:33 PM Matt Sicker <bo...@gmail.com> wrote:
> I'm not exactly sure on the process, but I think it's important to use
> a security-specific mailing list for tracking purposes. If the reports
> don't filter through security@apache.org, it makes sense to make a
> dedicated security@ mailing list for the project.
>
> On Wed, 20 Mar 2019 at 11:57, Rodric Rabbah <ro...@gmail.com> wrote:
> >
> > Looks good to me - thanks Matt.
> >
> > -r
>
>
>
> --
> Matt Sicker <bo...@gmail.com>
>
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Matt Sicker <bo...@gmail.com>.
I'm not exactly sure on the process, but I think it's important to use
a security-specific mailing list for tracking purposes. If the reports
don't filter through security@apache.org, it makes sense to make a
dedicated security@ mailing list for the project.
On Wed, 20 Mar 2019 at 11:57, Rodric Rabbah <ro...@gmail.com> wrote:
>
> Looks good to me - thanks Matt.
>
> -r
--
Matt Sicker <bo...@gmail.com>
Re: Added a "Security" page to website with simple, OW-specific
instructions for vuln. reporting
Posted by Rodric Rabbah <ro...@gmail.com>.
Looks good to me - thanks Matt.
-r