Jump to: navigation, search

Difference between revisions of "StarlingX/Security"

(Team Work Items)
m (Ongoing CVE Maintenance Policy)
Line 23: Line 23:
  
 
See https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
 
See https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
 +
 +
StarlingX uses "vuls" (https://vuls.io/) for CVE scanning.
 +
Action: Document setup so that anyone can replicate the scan in public
  
 
=== How to report security issues to Starling X ===
 
=== How to report security issues to Starling X ===

Revision as of 19:50, 11 April 2019

StarlingX Security Sub-project

Vulnerability Management Team Information

Team Operations

The Vulnerability Management Team meets weekly to discuss ongoing security issues. These meetings are private and closed to the community as a whole until the embargo is lifted on a particular security issue. For ongoing security hardening and feature development, these discussions and specifications are completed in the open. Technical discussions beyond the specifications and reviews will be held on the community call held every Wednesday.

Vulnerability Management Process

The Staring X Vulnerability Management team is the first point of contact for Starling X security issues. They are responsible for the vulnerability handling and disclosure process.

See https://wiki.openstack.org/wiki/StarlingX/Security/Vulnerability_Management

Banned C-Function Policy

The Starling X Vulnerability Management team is recommending limiting the use of certain c functions given that they are prone to introducing security issues. The page below outlines the current policy:

See https://wiki.openstack.org/wiki/StarlingX/Security/Banned_C_Functions

Ongoing CVE Maintenance Policy

The Starling X Vulnerability Management team is promoting ongoing security maintenance for StarlingX including CVE Analysis and Support. The page below outlines the current policy:

See https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy

StarlingX uses "vuls" (https://vuls.io/) for CVE scanning. Action: Document setup so that anyone can replicate the scan in public

How to report security issues to Starling X

If you think you’ve identified a vulnerability, please work with us to rectify and disclose the issue responsibly. By default, Starling X considers all issues private until they have been triaged by the Starling X Vulnerability Management Team. We provide two ways to report issues to the Starling X VMT depending on how sensitive the issue is:

  1. Open the StarlingX bug tracking page and click the ‘Report a bug’ link at the top right of the page.
    1. “Launchpad Web Page” get back with “Report a bug --> Summary:” text field. Please describe the bug in a few words...
      • Click “Next” button.
        • “Launchpad Web Page” should come back with “Further information:” text field.
        • Please take a look if similar bugs were identified by “Launchpad Web Page” to avoid duplicate bugs.
      • Please go to Starlingx bug reporting guidelines and use the template suggested.
      • Go to the bottom of the page and select “ √ This bug is a security vulnerability” checkbox.
      • Click under “Extra Options” arrow.
        • Add “stx.security” TAG.
        • Please add attachments to help development team to troubleshoot the bug.
      • Click “Submit Bug Report” button.
    2. Once the bug is created please go to “Other bug subscribers” at the right side frame.
      • Left click on “+ Subscribe someone else” link and you should get a “Subscribe someone else” pop up search window.
      • Please add the following users:
        • Ken Young (kenyis) WR
        • Brent Rowsell (brent-rowsell) WR
        • Cindy Xie (xxie1) Intel
        • Bruce Jones (brucej) Intel
  2. If the issue is extremely sensitive or you’re otherwise unable to use the bug tracker directly, please send an e-mail message to one or more of the Team’s members:

Team Objective / Priorities

  • Responsible for all work items related StarlingX security
  • Short Term Priorities (2018)
  • Long Term Priorities (2019)
    • TBD

Tags

All story board stories and launchpad bugs created for this team should use the tag "stx.security".

Team Work Items

  • ToDo:
    • Evaluate this report and create Stories to address it (if needed).
    • Address issues raised in the Intel internal SAFE review

Status

  • Capture status - what's the cadence? weekly?
  • 2018/08/06:
  • 2018/08/13: