Re: [openstack-dev] [manila] [security] [tc] Add the vulnerability:managed tag to Manila
Jeremy hit all the major points there. What we do is basically model things based on a best-practice use case, we rely on the project to make good choices in this regard with a view to configurations, protocols etc. Then we conduct an asset-oriented threat review, during which we create documentation that looks a lot like https://review.openstack.org/#/c/357978/5 It's not overly heavyweight and provides us with enough information to make some reasonably in-depth judgements and provide advice on areas where a project might have some weaknesses in design or implementation. A good first step is to say hello during one of our IRC meetings, 1700 UTC on #openstack-meeting-alt Cheers -Rob On Thu, Sep 1, 2016 at 4:38 PM, Ben Swartzlanderwrote: > Thanks fungi. I misunderstood the full scope of the requirements for > vulnerability management and since we don't yet have volunteers willing to > perform all the required duties, I'm going to withdraw the tag request. > > As soon as interested community members step up to take on the > responsibilities I'll reapply for the tag. > > -Ben Swartzlander > > > > On 08/30/2016 01:07 PM, Jeremy Stanley wrote: > >> Ben has proposed[1] adding manila, manila-ui and python-manilaclient >> to the list of deliverables whose vulnerability reports and >> advisories are overseen by the OpenStack Vulnerability Management >> Team. This proposal is an assertion that the requirements[2] for the >> vulnerability:managed governance tag are met by these deliverables. >> As such, I wanted to initiate a discussion evaluating each of the >> listed requirements to see how far along those deliverables are in >> actually fulfilling these criteria. >> >> 1. All repos for a covered deliverable must meet the criteria or >> else none do. Easy enough, each deliverable has only one repo so >> this isn't really a concern. >> >> 2. We need a dedicated point of contact for security issues. Our >> typical point of contact would be a manila-coresec team in >> Launchpad, but that doesn't exist[3] (yet). Since you have a fairly >> large core review team[4], you should pick a reasonable subset of >> those who are willing to act as the next line of triage after the >> VMT hands off a suspected vulnerability report under embargo. You >> should have at least a couple of active volunteers for this task so >> there's good coverage, but more than 5 or so is probably pushing the >> bounds of information safety. Not all of them need to be core >> reviewers, but enough of them should be so that patches proposed as >> attachments to private bugs can effectively be "pre-approved" in an >> effort to avoid delays merging at time of publication. >> >> 3. The PTL needs to agree to act as a point of escalation or >> delegate this responsibility to a specific liaison. This is Ben by >> default, but if he's not going to have time to serve in that role >> then he should record a dedicated Vulnerability Management Liaison >> in the CPLs list[5]. >> >> 4. Configure sharing[6][7][8] on the defect trackers for these >> deliverables so that OpenStack Vulnerability Management team >> (openstack-vuln-mgmt) has "Private Security: All". Once the >> vulnerability:managed tag is approved for them, also remove the >> "Private Security: All" sharing from any other teams (so that the >> VMT can redirect incorrectly reported vulnerabilities without >> prematurely disclosing them to manila reviewers). >> >> 5. Independent security review, audit, or threat analysis... this is >> almost certainly the hardest to meet. After some protracted >> discussion on Kolla's application for this tag, it was determined >> that projects should start supplying threat analyses to a central >> security-analysis[9] repo where they can be openly reviewed and >> ultimately published. No projects have actually completed this yet, >> but there is some process being finalized by the Security Team which >> projects will hopefully be able to follow. You may want to check >> with them on the possibility of being an early adopter for that >> process. >> >> 6. Covered deliverables need tests we can rely on to be able to >> evaluate whether privately proposed security patches will break the >> software. A cursory look shows many jobs[10] running in our upstream >> CI for changes to these repos, so that requirement is probably >> addressed (I did not yet check whether those >> unit/functional/integration tests are particularly extensive). >> >> So in summary, it looks like there are still some outstanding >> requirements not yet met for the vulnerability:managed tag but I >> don't see any insurmountable challenges there. Please let me know if >> any of the above is significantly off-track. >> >> [1] https://review.openstack.org/350597 >> [2] https://governance.openstack.org/reference/tags/vulnerabilit >> y_managed.html#requirements >> [3] https://launchpad.net/~manila-coresec >> [4] https://review.openstack.org/#/admin/groups/213,members >> [5]
Re: [openstack-dev] [manila] [security] [tc] Add the vulnerability:managed tag to Manila
Thanks fungi. I misunderstood the full scope of the requirements for vulnerability management and since we don't yet have volunteers willing to perform all the required duties, I'm going to withdraw the tag request. As soon as interested community members step up to take on the responsibilities I'll reapply for the tag. -Ben Swartzlander On 08/30/2016 01:07 PM, Jeremy Stanley wrote: Ben has proposed[1] adding manila, manila-ui and python-manilaclient to the list of deliverables whose vulnerability reports and advisories are overseen by the OpenStack Vulnerability Management Team. This proposal is an assertion that the requirements[2] for the vulnerability:managed governance tag are met by these deliverables. As such, I wanted to initiate a discussion evaluating each of the listed requirements to see how far along those deliverables are in actually fulfilling these criteria. 1. All repos for a covered deliverable must meet the criteria or else none do. Easy enough, each deliverable has only one repo so this isn't really a concern. 2. We need a dedicated point of contact for security issues. Our typical point of contact would be a manila-coresec team in Launchpad, but that doesn't exist[3] (yet). Since you have a fairly large core review team[4], you should pick a reasonable subset of those who are willing to act as the next line of triage after the VMT hands off a suspected vulnerability report under embargo. You should have at least a couple of active volunteers for this task so there's good coverage, but more than 5 or so is probably pushing the bounds of information safety. Not all of them need to be core reviewers, but enough of them should be so that patches proposed as attachments to private bugs can effectively be "pre-approved" in an effort to avoid delays merging at time of publication. 3. The PTL needs to agree to act as a point of escalation or delegate this responsibility to a specific liaison. This is Ben by default, but if he's not going to have time to serve in that role then he should record a dedicated Vulnerability Management Liaison in the CPLs list[5]. 4. Configure sharing[6][7][8] on the defect trackers for these deliverables so that OpenStack Vulnerability Management team (openstack-vuln-mgmt) has "Private Security: All". Once the vulnerability:managed tag is approved for them, also remove the "Private Security: All" sharing from any other teams (so that the VMT can redirect incorrectly reported vulnerabilities without prematurely disclosing them to manila reviewers). 5. Independent security review, audit, or threat analysis... this is almost certainly the hardest to meet. After some protracted discussion on Kolla's application for this tag, it was determined that projects should start supplying threat analyses to a central security-analysis[9] repo where they can be openly reviewed and ultimately published. No projects have actually completed this yet, but there is some process being finalized by the Security Team which projects will hopefully be able to follow. You may want to check with them on the possibility of being an early adopter for that process. 6. Covered deliverables need tests we can rely on to be able to evaluate whether privately proposed security patches will break the software. A cursory look shows many jobs[10] running in our upstream CI for changes to these repos, so that requirement is probably addressed (I did not yet check whether those unit/functional/integration tests are particularly extensive). So in summary, it looks like there are still some outstanding requirements not yet met for the vulnerability:managed tag but I don't see any insurmountable challenges there. Please let me know if any of the above is significantly off-track. [1] https://review.openstack.org/350597 [2] https://governance.openstack.org/reference/tags/vulnerability_managed.html#requirements [3] https://launchpad.net/~manila-coresec [4] https://review.openstack.org/#/admin/groups/213,members [5] https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management [6] https://launchpad.net/manila/+sharing [7] https://launchpad.net/manila-ui/+sharing [8] https://launchpad.net/pythonmanilaclient/+sharing [9] https://git.openstack.org/cgit/openstack/security-analysis/tree/doc/source/templates/ [10] https://git.openstack.org/cgit/openstack-infra/project-config/tree/zuul/layout.yaml __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [manila] [security] [tc] Add the vulnerability:managed tag to Manila
On 2016-08-31 10:18:57 +0100 (+0100), John Spray wrote: [...] > Given that all the drivers live in the Manila repo, will this > requirement for security audits is going to apply to them? Given the > variety of technologies and network protocols involved in talking to > external storage systems, this strikes me as probably the hardest > part. [...] Perhaps, but if you look at the templates the Security Group has started putting together they're not for a rigorous code audit: https://git.openstack.org/cgit/openstack/security-analysis/tree/doc/source/templates/ The idea, as I understand it, is that projects will document their architecture and security model, and call out risks they can identify posed by different parts thereof. So for drivers in the manila repo, this is perhaps things like risk in leaking credentials for the storage backend to unauthorized parties or failure to enforce isolation of data access between distinct privilege domains. Then others outside manila can review and provide feedback on this information, ask questions, and help refine it. Then it eventually becomes a living document of the project's design and risk profile both to benefit the users/community at large and also to make it easier for the VMT and the manila-coresec team to classify reports of potential vulnerabilities. If anything, I suspect in-tree drivers for proprietary backends are going to be harder to map to requirement #6 (ability for the VMT to test fixes), but the way it's been handled in other already grandfathered-in projects is that the core security review team for that project subscribes a subject matter expert to the bug and they use their knowledge/access to vet proposed fixes under embargo and then we take their word for it. -- Jeremy Stanley __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [manila] [security] [tc] Add the vulnerability:managed tag to Manila
On Tue, Aug 30, 2016 at 6:07 PM, Jeremy Stanleywrote: > Ben has proposed[1] adding manila, manila-ui and python-manilaclient > to the list of deliverables whose vulnerability reports and > advisories are overseen by the OpenStack Vulnerability Management > Team. This proposal is an assertion that the requirements[2] for the > vulnerability:managed governance tag are met by these deliverables. > As such, I wanted to initiate a discussion evaluating each of the > listed requirements to see how far along those deliverables are in > actually fulfilling these criteria. > > 1. All repos for a covered deliverable must meet the criteria or > else none do. Easy enough, each deliverable has only one repo so > this isn't really a concern. > > 2. We need a dedicated point of contact for security issues. Our > typical point of contact would be a manila-coresec team in > Launchpad, but that doesn't exist[3] (yet). Since you have a fairly > large core review team[4], you should pick a reasonable subset of > those who are willing to act as the next line of triage after the > VMT hands off a suspected vulnerability report under embargo. You > should have at least a couple of active volunteers for this task so > there's good coverage, but more than 5 or so is probably pushing the > bounds of information safety. Not all of them need to be core > reviewers, but enough of them should be so that patches proposed as > attachments to private bugs can effectively be "pre-approved" in an > effort to avoid delays merging at time of publication. > > 3. The PTL needs to agree to act as a point of escalation or > delegate this responsibility to a specific liaison. This is Ben by > default, but if he's not going to have time to serve in that role > then he should record a dedicated Vulnerability Management Liaison > in the CPLs list[5]. > > 4. Configure sharing[6][7][8] on the defect trackers for these > deliverables so that OpenStack Vulnerability Management team > (openstack-vuln-mgmt) has "Private Security: All". Once the > vulnerability:managed tag is approved for them, also remove the > "Private Security: All" sharing from any other teams (so that the > VMT can redirect incorrectly reported vulnerabilities without > prematurely disclosing them to manila reviewers). > > 5. Independent security review, audit, or threat analysis... this is > almost certainly the hardest to meet. After some protracted > discussion on Kolla's application for this tag, it was determined > that projects should start supplying threat analyses to a central > security-analysis[9] repo where they can be openly reviewed and > ultimately published. No projects have actually completed this yet, > but there is some process being finalized by the Security Team which > projects will hopefully be able to follow. You may want to check > with them on the possibility of being an early adopter for that > process. Given that all the drivers live in the Manila repo, will this requirement for security audits is going to apply to them? Given the variety of technologies and network protocols involved in talking to external storage systems, this strikes me as probably the hardest part. John > 6. Covered deliverables need tests we can rely on to be able to > evaluate whether privately proposed security patches will break the > software. A cursory look shows many jobs[10] running in our upstream > CI for changes to these repos, so that requirement is probably > addressed (I did not yet check whether those > unit/functional/integration tests are particularly extensive). > > So in summary, it looks like there are still some outstanding > requirements not yet met for the vulnerability:managed tag but I > don't see any insurmountable challenges there. Please let me know if > any of the above is significantly off-track. > > [1] https://review.openstack.org/350597 > [2] > https://governance.openstack.org/reference/tags/vulnerability_managed.html#requirements > [3] https://launchpad.net/~manila-coresec > [4] https://review.openstack.org/#/admin/groups/213,members > [5] > https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management > [6] https://launchpad.net/manila/+sharing > [7] https://launchpad.net/manila-ui/+sharing > [8] https://launchpad.net/pythonmanilaclient/+sharing > [9] > https://git.openstack.org/cgit/openstack/security-analysis/tree/doc/source/templates/ > [10] > https://git.openstack.org/cgit/openstack-infra/project-config/tree/zuul/layout.yaml > > -- > Jeremy Stanley > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:
[openstack-dev] [manila] [security] [tc] Add the vulnerability:managed tag to Manila
Ben has proposed[1] adding manila, manila-ui and python-manilaclient to the list of deliverables whose vulnerability reports and advisories are overseen by the OpenStack Vulnerability Management Team. This proposal is an assertion that the requirements[2] for the vulnerability:managed governance tag are met by these deliverables. As such, I wanted to initiate a discussion evaluating each of the listed requirements to see how far along those deliverables are in actually fulfilling these criteria. 1. All repos for a covered deliverable must meet the criteria or else none do. Easy enough, each deliverable has only one repo so this isn't really a concern. 2. We need a dedicated point of contact for security issues. Our typical point of contact would be a manila-coresec team in Launchpad, but that doesn't exist[3] (yet). Since you have a fairly large core review team[4], you should pick a reasonable subset of those who are willing to act as the next line of triage after the VMT hands off a suspected vulnerability report under embargo. You should have at least a couple of active volunteers for this task so there's good coverage, but more than 5 or so is probably pushing the bounds of information safety. Not all of them need to be core reviewers, but enough of them should be so that patches proposed as attachments to private bugs can effectively be "pre-approved" in an effort to avoid delays merging at time of publication. 3. The PTL needs to agree to act as a point of escalation or delegate this responsibility to a specific liaison. This is Ben by default, but if he's not going to have time to serve in that role then he should record a dedicated Vulnerability Management Liaison in the CPLs list[5]. 4. Configure sharing[6][7][8] on the defect trackers for these deliverables so that OpenStack Vulnerability Management team (openstack-vuln-mgmt) has "Private Security: All". Once the vulnerability:managed tag is approved for them, also remove the "Private Security: All" sharing from any other teams (so that the VMT can redirect incorrectly reported vulnerabilities without prematurely disclosing them to manila reviewers). 5. Independent security review, audit, or threat analysis... this is almost certainly the hardest to meet. After some protracted discussion on Kolla's application for this tag, it was determined that projects should start supplying threat analyses to a central security-analysis[9] repo where they can be openly reviewed and ultimately published. No projects have actually completed this yet, but there is some process being finalized by the Security Team which projects will hopefully be able to follow. You may want to check with them on the possibility of being an early adopter for that process. 6. Covered deliverables need tests we can rely on to be able to evaluate whether privately proposed security patches will break the software. A cursory look shows many jobs[10] running in our upstream CI for changes to these repos, so that requirement is probably addressed (I did not yet check whether those unit/functional/integration tests are particularly extensive). So in summary, it looks like there are still some outstanding requirements not yet met for the vulnerability:managed tag but I don't see any insurmountable challenges there. Please let me know if any of the above is significantly off-track. [1] https://review.openstack.org/350597 [2] https://governance.openstack.org/reference/tags/vulnerability_managed.html#requirements [3] https://launchpad.net/~manila-coresec [4] https://review.openstack.org/#/admin/groups/213,members [5] https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management [6] https://launchpad.net/manila/+sharing [7] https://launchpad.net/manila-ui/+sharing [8] https://launchpad.net/pythonmanilaclient/+sharing [9] https://git.openstack.org/cgit/openstack/security-analysis/tree/doc/source/templates/ [10] https://git.openstack.org/cgit/openstack-infra/project-config/tree/zuul/layout.yaml -- Jeremy Stanley signature.asc Description: Digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev