Difference between revisions of "StarlingX/Security"
(→Vulnerability Management Process) |
Ghada.khalil (talk | contribs) (→How to report security issues to StarlingX) |
||
(9 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
=== Vulnerability Management Team Information === | === Vulnerability Management Team Information === | ||
− | * Project Lead: | + | * Project Lead: Ghada Khalil <[mailto:Ghada.Khalil@windriver.com Ghada.Khalil@windriver.com]> |
− | * Technical Lead: | + | * Technical Lead: Ghada Khalil <[mailto:Ghada.Khalil@windriver.com Ghada.Khalil@windriver.com]> |
− | * Contributors: *Cindy Xie <[mailto:cindy.xie@intel.com cindy.xie@intel.com]>; *Bruce Jones <[mailto:bruce.e.jones@intel.com bruce.e.jones@intel.com]>; *Brent Rowsell <[mailto:Brent.Rowsell@windriver.com Brent.Rowsell@windriver.com]> | + | * Contributors: *Cindy Xie <[mailto:cindy.xie@intel.com cindy.xie@intel.com]>; *Bruce Jones <[mailto:bruce.e.jones@intel.com bruce.e.jones@intel.com]>; *Brent Rowsell <[mailto:Brent.Rowsell@windriver.com Brent.Rowsell@windriver.com]>; *Ken Young (Jun 2018-Aug 2019) <[mailto:Ken.Young@windriver.com Ken.Young@windriver.com]> |
=== Team Operations === | === Team Operations === | ||
− | The Vulnerability Management Team meets | + | The Vulnerability Management Team meets biweekly to discuss ongoing security issues. These meetings are private and closed to the community as a whole until the embargo is lifted on a particular security issue. For ongoing security hardening and feature development, these discussions and specifications are completed in the open. Technical discussions beyond the specifications and reviews will be held on the community call held every Wednesday. |
=== Vulnerability Management Process === | === Vulnerability Management Process === | ||
− | The | + | The StaringX Vulnerability Management team is the first point of contact for StarlingX security issues. They are responsible for the vulnerability handling and disclosure process. |
See https://wiki.openstack.org/wiki/StarlingX/Security/Vulnerability_Management | See https://wiki.openstack.org/wiki/StarlingX/Security/Vulnerability_Management | ||
=== Banned C-Function Policy === | === Banned C-Function Policy === | ||
− | The | + | The StarlingX Vulnerability Management team is recommending limiting the use of certain c functions given that they are prone to introducing security issues. The page below outlines the current policy: |
See https://wiki.openstack.org/wiki/StarlingX/Security/Banned_C_Functions | See https://wiki.openstack.org/wiki/StarlingX/Security/Banned_C_Functions | ||
− | === How to report security issues to | + | === Ongoing CVE Maintenance Policy === |
− | If you think you’ve identified a vulnerability, please work with us to rectify and disclose the issue responsibly. By default, | + | The StarlingX Vulnerability Management team is promoting ongoing security maintenance for StarlingX including CVE Analysis and Support. |
+ | The current policy is outlined at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy | ||
+ | |||
+ | StarlingX uses "vuls" (https://vuls.io/) for CVE scanning. The detailed scanning procedure is documented at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Scanning_Procedure | ||
+ | |||
+ | === How to report security issues to StarlingX === | ||
+ | If you think you’ve identified a vulnerability, please work with us to rectify and disclose the issue responsibly. By default, StarlingX considers all issues private until they have been triaged by the StarlingX Vulnerability Management Team. We provide two ways to report issues to the StarlingX VMT depending on how sensitive the issue is: | ||
# Open the [https://bugs.launchpad.net/starlingx StarlingX bug tracking page] and click the [https://bugs.launchpad.net/starlingx/+filebug ‘Report a bug’] link at the top right of the page. | # Open the [https://bugs.launchpad.net/starlingx StarlingX bug tracking page] and click the [https://bugs.launchpad.net/starlingx/+filebug ‘Report a bug’] link at the top right of the page. | ||
− | ## “Launchpad Web Page” get back with “Report a bug --> Summary:” text field. Please describe the bug in a few words | + | ## “Launchpad Web Page” get back with “Report a bug --> Summary:” text field. Please describe the bug in a few words (include the CVE# if there is one) |
##* Click “Next” button. | ##* Click “Next” button. | ||
##** “Launchpad Web Page” should come back with “Further information:” text field. | ##** “Launchpad Web Page” should come back with “Further information:” text field. | ||
##** Please take a look if similar bugs were identified by “Launchpad Web Page” to avoid duplicate bugs. | ##** Please take a look if similar bugs were identified by “Launchpad Web Page” to avoid duplicate bugs. | ||
##* Please go to [https://wiki.openstack.org/wiki/StarlingX/BugTemplate Starlingx bug reporting guidelines] and use the template suggested. | ##* Please go to [https://wiki.openstack.org/wiki/StarlingX/BugTemplate Starlingx bug reporting guidelines] and use the template suggested. | ||
+ | ##** If you are reporting an existing CVE, please provide the CVE#, Vector (CVSSv2), Description, Link to NVD DB, Link to CentOS/RHEL bug (if applicable), CentOS Package version which includes the fix (if available) | ||
##* Go to the bottom of the page and select “ √ This bug is a security vulnerability” checkbox. | ##* Go to the bottom of the page and select “ √ This bug is a security vulnerability” checkbox. | ||
##* Click under “Extra Options” arrow. | ##* Click under “Extra Options” arrow. | ||
Line 35: | Line 42: | ||
##* Left click on “+ Subscribe someone else” link and you should get a “Subscribe someone else” pop up search window. | ##* Left click on “+ Subscribe someone else” link and you should get a “Subscribe someone else” pop up search window. | ||
##* Please add the following users: | ##* Please add the following users: | ||
− | ##** | + | ##** Ghada Khalil (gkhalil) WR |
+ | ##** Bill Zvonar (billzvonar) WR | ||
##** Brent Rowsell (brent-rowsell) WR | ##** Brent Rowsell (brent-rowsell) WR | ||
##** Cindy Xie (xxie1) Intel | ##** Cindy Xie (xxie1) Intel | ||
##** Bruce Jones (brucej) Intel | ##** Bruce Jones (brucej) Intel | ||
− | # If the issue is extremely sensitive or you’re otherwise unable to use the bug tracker directly, please send an e-mail message to | + | ##** Victor Rodriguez (vm-rod25) Intel |
− | #* | + | ##* Link the CVE# if applicable using the "Link to CVE" option on the right hand side |
+ | # If the issue is extremely sensitive or you’re otherwise unable to use the bug tracker directly, please send an e-mail message to the Security Team’s members: | ||
+ | #*Ghada Khalil <[mailto:Ghada.Khalil@windriver.com Ghada.Khalil@windriver.com]> | ||
#*Bruce Jones <[mailto:bruce.e.jones@intel.com bruce.e.jones@intel.com]> | #*Bruce Jones <[mailto:bruce.e.jones@intel.com bruce.e.jones@intel.com]> | ||
#*Cindy Xie <[mailto:cindy.xie@intel.com cindy.xie@intel.com]> | #*Cindy Xie <[mailto:cindy.xie@intel.com cindy.xie@intel.com]> | ||
#*Brent Rowsell <[mailto:Brent.Rowsell@windriver.com Brent.Rowsell@windriver.com]> | #*Brent Rowsell <[mailto:Brent.Rowsell@windriver.com Brent.Rowsell@windriver.com]> | ||
− | + | #*Victor Rodriguez <[mailto:victor.rodriguez.bahena@intel.com victor.rodriguez.bahena@intel.com]> | |
+ | |||
=== Team Objective / Priorities === | === Team Objective / Priorities === | ||
− | * Responsible for | + | * Responsible for work items related StarlingX security |
− | |||
− | |||
− | |||
− | |||
=== Tags === | === Tags === | ||
Line 60: | Line 67: | ||
*** [https://storyboard.openstack.org/#!/story/list?status=active&tags=stx.security&project_group_id=86 Active Stories] | *** [https://storyboard.openstack.org/#!/story/list?status=active&tags=stx.security&project_group_id=86 Active Stories] | ||
*** [https://storyboard.openstack.org/#!/story/list?status=merged&tags=stx.security&project_group_id=86 Merged Stories] | *** [https://storyboard.openstack.org/#!/story/list?status=merged&tags=stx.security&project_group_id=86 Merged Stories] | ||
− | |||
− | |||
− | |||
* Launchpad Bugs | * Launchpad Bugs | ||
** All | ** All | ||
*** [https://bugs.launchpad.net/starlingx/+bugs?field.tag=stx.security Open Bugs] | *** [https://bugs.launchpad.net/starlingx/+bugs?field.tag=stx.security Open Bugs] | ||
*** [https://bugs.launchpad.net/starlingx/+bugs?field.searchtext=&orderby=-importance&field.status%3Alist=FIXRELEASED&assignee_option=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=stx.security&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on&search=Search Fixed Bugs] | *** [https://bugs.launchpad.net/starlingx/+bugs?field.searchtext=&orderby=-importance&field.status%3Alist=FIXRELEASED&assignee_option=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=stx.security&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on&search=Search Fixed Bugs] | ||
− | |||
− | |||
* ToDo: | * ToDo: | ||
** Evaluate [https://www.bleepingcomputer.com/news/security/researchers-detail-new-cpu-side-channel-attack-named-spectrersb/ this report] and create Stories to address it (if needed). | ** Evaluate [https://www.bleepingcomputer.com/news/security/researchers-detail-new-cpu-side-channel-attack-named-spectrersb/ this report] and create Stories to address it (if needed). | ||
** Address issues raised in the Intel internal SAFE review | ** Address issues raised in the Intel internal SAFE review | ||
− | |||
− | |||
− | |||
− | |||
− |
Revision as of 15:07, 21 October 2019
Contents
StarlingX Security Sub-project
Vulnerability Management Team Information
- Project Lead: Ghada Khalil <Ghada.Khalil@windriver.com>
- Technical Lead: Ghada Khalil <Ghada.Khalil@windriver.com>
- Contributors: *Cindy Xie <cindy.xie@intel.com>; *Bruce Jones <bruce.e.jones@intel.com>; *Brent Rowsell <Brent.Rowsell@windriver.com>; *Ken Young (Jun 2018-Aug 2019) <Ken.Young@windriver.com>
Team Operations
The Vulnerability Management Team meets biweekly to discuss ongoing security issues. These meetings are private and closed to the community as a whole until the embargo is lifted on a particular security issue. For ongoing security hardening and feature development, these discussions and specifications are completed in the open. Technical discussions beyond the specifications and reviews will be held on the community call held every Wednesday.
Vulnerability Management Process
The StaringX Vulnerability Management team is the first point of contact for StarlingX security issues. They are responsible for the vulnerability handling and disclosure process.
See https://wiki.openstack.org/wiki/StarlingX/Security/Vulnerability_Management
Banned C-Function Policy
The StarlingX Vulnerability Management team is recommending limiting the use of certain c functions given that they are prone to introducing security issues. The page below outlines the current policy:
See https://wiki.openstack.org/wiki/StarlingX/Security/Banned_C_Functions
Ongoing CVE Maintenance Policy
The StarlingX Vulnerability Management team is promoting ongoing security maintenance for StarlingX including CVE Analysis and Support. The current policy is outlined at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
StarlingX uses "vuls" (https://vuls.io/) for CVE scanning. The detailed scanning procedure is documented at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Scanning_Procedure
How to report security issues to StarlingX
If you think you’ve identified a vulnerability, please work with us to rectify and disclose the issue responsibly. By default, StarlingX considers all issues private until they have been triaged by the StarlingX Vulnerability Management Team. We provide two ways to report issues to the StarlingX VMT depending on how sensitive the issue is:
- Open the StarlingX bug tracking page and click the ‘Report a bug’ link at the top right of the page.
- “Launchpad Web Page” get back with “Report a bug --> Summary:” text field. Please describe the bug in a few words (include the CVE# if there is one)
- Click “Next” button.
- “Launchpad Web Page” should come back with “Further information:” text field.
- Please take a look if similar bugs were identified by “Launchpad Web Page” to avoid duplicate bugs.
- Please go to Starlingx bug reporting guidelines and use the template suggested.
- If you are reporting an existing CVE, please provide the CVE#, Vector (CVSSv2), Description, Link to NVD DB, Link to CentOS/RHEL bug (if applicable), CentOS Package version which includes the fix (if available)
- Go to the bottom of the page and select “ √ This bug is a security vulnerability” checkbox.
- Click under “Extra Options” arrow.
- Add “stx.security” TAG.
- Please add attachments to help development team to troubleshoot the bug.
- Click “Submit Bug Report” button.
- Click “Next” button.
- Once the bug is created please go to “Other bug subscribers” at the right side frame.
- Left click on “+ Subscribe someone else” link and you should get a “Subscribe someone else” pop up search window.
- Please add the following users:
- Ghada Khalil (gkhalil) WR
- Bill Zvonar (billzvonar) WR
- Brent Rowsell (brent-rowsell) WR
- Cindy Xie (xxie1) Intel
- Bruce Jones (brucej) Intel
- Victor Rodriguez (vm-rod25) Intel
- Link the CVE# if applicable using the "Link to CVE" option on the right hand side
- “Launchpad Web Page” get back with “Report a bug --> Summary:” text field. Please describe the bug in a few words (include the CVE# if there is one)
- If the issue is extremely sensitive or you’re otherwise unable to use the bug tracker directly, please send an e-mail message to the Security Team’s members:
- Ghada Khalil <Ghada.Khalil@windriver.com>
- Bruce Jones <bruce.e.jones@intel.com>
- Cindy Xie <cindy.xie@intel.com>
- Brent Rowsell <Brent.Rowsell@windriver.com>
- Victor Rodriguez <victor.rodriguez.bahena@intel.com>
Team Objective / Priorities
- Responsible for work items related StarlingX security
Tags
All story board stories and launchpad bugs created for this team should use the tag "stx.security".
Team Work Items
- Story Board
- Launchpad Bugs
- All
- ToDo:
- Evaluate this report and create Stories to address it (if needed).
- Address issues raised in the Intel internal SAFE review