Re: Security Policy was: Query regarding where to store encryption keys

[John Kinsella <jl...@stratosec.co>]

I just noticed bugs.cloudstack.org has a "Security Level" field, but no options available…I'm guessing we want to put something there?

John

On Jun 29, 2012, at 12:43 PM, John Kinsella wrote:

> I think that list looks about right. I'm open to ideas on how to manage and share that PGP key. My key can be found on the MIT key server, should be on the PGP server soon.
> 
> Updated URL for wiki page (I removed "draft") http://wiki.cloudstack.org/display/COMM/Security+response+procedure
> 
> John
> 
> On Jun 29, 2012, at 12:05 PM, Clement Chen wrote:
> 
>> A couple of action items:
>> 
>> 1. Create an email address - security@cloudstack.org as the dedicated communication channel for security issues.
>> 2. Create a PGP key for the above email address.
>> 3. Create a webpage (for example, http://www.cloudstack.org/security) to publish the security policy John created and tell users how to report security issues to CloudStack.
>> 
>> I can take care of 2. Not sure whom to contact for 1. and 3.? Should I file a ticket for them?
>> 
>> Thanks.
>> 
>> -Clement
>> 
>> -----Original Message-----
>> From: David Nalley [mailto:david@gnsa.us] 
>> Sent: Friday, June 29, 2012 10:44 AM
>> To: cloudstack-dev@incubator.apache.org
>> Subject: Security Policy was: Query regarding where to store encryption keys
>> 
>> I don't want to lose track of this conversation. I think John's proposal makes a lot of sense. What is actionable out of this?
>> 
>> --David
>> 
>> On Fri, Jun 22, 2012 at 8:13 PM, John Kinsella <jl...@stratosec.co> wrote:
>>> Concur on both. I've been in an appsec mode recently and sending people to the OWASP site so that came to mind, but CVSS is better known. I mentioned CVE directly as "MITRE" might confuse people, but probably not an issue. Wiki's been updated.
>>> 
>>> Any other feedback/thoughts are welcome.
>>> 
>>> John
>>> 
>>> On Jun 22, 2012, at 4:21 PM, Clement Chen wrote:
>>> 
>>>> Hi John,
>>>> 
>>>> It looks nice. Two comments:
>>>> 
>>>> 1. Regarding risk rating, it seems to me that CVSS (http://www.first.org/cvss) has wider adoption than the "OWASP risk rating methodology". Every security vulnerability in the National Vulnerability Database (http://nvd.nist.gov/) has a CVSS score.
>>>> 2. It should be "Security team works with MITRE to  reserve a CVE identifier". MITRE is the organization that manages CVE.
>>>> 
>>>> Thanks.
>>>> 
>>>> -Clement
>>>> 
>>>> -----Original Message-----
>>>> From: John Kinsella [mailto:jlk@stratosec.co]
>>>> Sent: Thursday, June 21, 2012 7:26 PM
>>>> To: cloudstack-dev@incubator.apache.org
>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>> Subject: Re: Query regarding where to store encryption keys
>>>> 
>>>> OK - draft up at 
>>>> http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+pr
>>>> ocedure
>>>> 
>>>> I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress that security is important and will contact will be responded to quickly.
>>>> 
>>>> Give feedback on the draft above - then let's talk next steps...I'd say we need a security list, a php key behind it, a security notification page somewhere on the CS site, and I wouldn't' mind seeing a twitter feed specifically for security announcements, as well...
>>>> 
>>>> John
>>>> 
>>>> On Jun 20, 2012, at 1:21 PM, Clement Chen wrote:
>>>> 
>>>>> We should set up a dedicated channel for security issues and handle security bugs carefully.
>>>>> 
>>>>> Below are some of the examples:
>>>>> 
>>>>> Apache HTTP Server Project:
>>>>> http://httpd.apache.org/security_report.html
>>>>> OpenStack: http://openstack.org/projects/openstack-security/
>>>>> Eucalyptus:
>>>>> http://www.eucalyptus.com/eucalyptus-cloud/security/procedures
>>>>> 
>>>>> -Clement
>>>>> 
>>>>> -----Original Message-----
>>>>> From: David Nalley [mailto:david@gnsa.us]
>>>>> Sent: Wednesday, June 20, 2012 12:59 PM
>>>>> To: cloudstack-dev@incubator.apache.org
>>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>>> Subject: Re: Query regarding where to store encryption keys
>>>>> 
>>>>> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ew...@eu.citrix.com> wrote:
>>>>>>> -----Original Message-----
>>>>>>> From: David Nalley [mailto:david@gnsa.us]
>>>>>>> Sent: Wednesday, June 20, 2012 12:32 PM
>>>>>>> To: cloudstack-dev@incubator.apache.org
>>>>>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>>>>>> Subject: Re: Query regarding where to store encryption keys
>>>>>>> 
>>>>>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati 
>>>>>>> <vi...@citrix.com> wrote:
>>>>>>>> Hi Team,
>>>>>>>> 
>>>>>>>> This is with reference to bug CS-15151
>>>>>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some 
>>>>>>> questions and it would be great if you could share your knowledge and suggestions.
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> Why is that bug not publicly visible?
>>>>>> 
>>>>>> Probably because it's highlighting a potential security hole.  That seems like a reasonable precaution for the reporter to have taken.
>>>>>> 
>>>>>> Would you like to handle these some other way?
>>>>>> 
>>>>>> Ewan.
>>>>>> 
>>>>> 
>>>>> That's a perfectly valid reason to keep it private, - though now the content of the bug has been publicly discussed, so one wonders at the continued utility of it being private.
>>>>> 
>>>>> Perhaps it's a good time to segue to discussing how we wish to handle security bugs, and get that documented.
>>>>> 
>>>>> --David
>>>> 
>>>> 
>>> 
>>> Stratosec - Secure Infrastructure as a Service
>>> o: 415.315.9385
>>> @johnlkinsella
>>> 
> 
> Stratosec - Secure Infrastructure as a Service
> o: 415.315.9385
> @johnlkinsella
> 

Stratosec - Secure Infrastructure as a Service
o: 415.315.9385
@johnlkinsella