Hello All, We will shortly be sharing the results of the threat analysis audit that is underway within the security group.
This will be in the format of a email sent to the PTL of each audited project, with a restricted Google Drive link to the report. The PTL’s email, will be added with view / comment permissions on the report. If the contact email, is not enabled for Google services, the PTL should reply and provide one that is. You may also request access for other committers in your project, by providing their respective email addresses. We elected to use Google Drive, as it allows access control, some amount of data privacy (https) and a comment system for discussion. If you cannot use Google drive / don’t want to, then we can share the report using GPG encrypted email / file instead. Note: That anything that is high risk and needs embargo, will instead be handled in a private Jira issue and will follow the vulnerability process devised in the OPNFV Security Group[1]. Some FAQ: Q: Why not share in public? It's open source. A: As the reports highlight potential security risks, it is responsible and right to allow the projects PTL time to comment on the risk, work with the security group, and if need be prepare patches. This is known as 'Responsible Disclosure' [2] and is as widely adopted process in open source projects. Q: What sort of risks will be you reporting, what can we expect? A: Most of the feedback is geared to promote secure coding. In the security group, we have performed analysis on each project's code and architecture, by looking for typical risk patterns such as shell executions, xss attacks, use of poor encryption etc. You can find some more details on our wiki [3] or within the Linux foundation core infrastructure initiative [4]. when we can, we make recommended remediation's, often using the same reported code. Q: I have some items in my report, and I am concerned / don’t understand the context? A: You may contact the Auditor named in your report to discuss any items in more detail. Q: Hmmm, my report highlights a risk, you’re wrong and I disagree! A: You know your project's code (and its intention, exposure, use case) much better than us. A risk we highlight could be a false positive. We are also fully aware, that OPNFV projects perform a lot of blackbox style testing against environments, which then are ripped down and cleaned post test, so what would be risk in production (hard coded passwords), is not a risk in a test environment. We also welcome discussion, should you have some helpful input. Q: Yay! So does this mean OPNFV is 100% secure?! A: Not as such. There is a well known quote used in SEC ‘There is no security on this earth; there is only opportunity'. We do this to promote friendly discussions on security, improve security awareness and as an outreach to developers within the community. We do not do this to unfairly critic any individual or project, nor to provide absolute guarantees to users of OPNFV. Of course though, the result of this in turn naturally promotes better security awareness in OPNFV, so that is the positive take away. Q: This really helped me! Thanks! A: Happy to have helped, show some love! Security can often seem like a thankless task with little award, and so let others know how it helped you. [1] https://wiki.opnfv.org/pages/viewpage.action?pageId=2926046 [2] https://en.wikipedia.org/wiki/Responsible_disclosure [3] https://wiki.opnfv.org/display/security/Securecode [4] https://www.coreinfrastructure.org/ Best Regards, Luke (OPNFV Security Group)
0x3C202614.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ opnfv-tech-discuss mailing list [email protected] https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
