Jump to: navigation, search

Difference between revisions of "StarlingX/Security"

 
(34 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
=== StarlingX Security Sub-project ===
 
=== StarlingX Security Sub-project ===
  
=== Team Information ===
+
=== Vulnerability Management Team Information ===
* Project Lead: Ken Young <Ken.Young@windriver.com>
+
* Project Lead: '''Ghada Khalil''' <[mailto:Ghada.Khalil@windriver.com Ghada.Khalil@windriver.com]>
* Technical Lead: TBD (Ken Young <Ken.Young@windriver.com>)
+
* Technical Lead: '''Ghada Khalil''' <[mailto:Ghada.Khalil@windriver.com Ghada.Khalil@windriver.com]>
* Contributors: Cindy Xie <cindy.xie@intel.com>; Hai Tao Wang <hai.tao.wang@intel.com>; Martin Chen <haochuan.z.chen@intel.com>; An Ran <ran1.an@intel.com>
+
* Contributors: '''Yue Tao''' <[mailto:Yue.Tao@windriver.com Yue.Tao@windriver.com]>; '''Mitch Thebeau''' <[mailto:Michel.Thebeau@windriver.com Michel.Thebeau@windriver.com]>; '''Zhixiong Chi''' <[mailto:zhixiong.chi@windriver.com zhixiong.chi@windriver.com]>
 +
* Past Contributors: Bruce Jones <[mailto:bruce.e.jones@intel.com bruce.e.jones@intel.com]>; Sanjay K Mukherjee <[mailto:sanjay.k.mukherjee@intel.com sanjay.k.mukherjee@intel.com]>; Cindy Xie <[mailto:cindy.xie@intel.com cindy.xie@intel.com]>; Gopi Bhat <[mailto:gopalkrishna.bhat@intel.com gopalkrishna.bhat@intel.com]>; Brent Rowsell; Ken Young
  
=== Team Objective / Priorities ===
+
=== Team Operations ===
* Responsible for all work items related StarlingX security
+
The Security/Vulnerability Management Team meets bi-weekly on Mondays to discuss ongoing security issues.  These meetings are currently private. If you wish to join these meetings, please send your request to Ghada Khalil.
* Short Term Priorities (2018)
+
 
**
+
=== Vulnerability Management Process ===
* Long Term Priorities (2019)
+
The StarlingX Vulnerability Management team is the first point of contact for StarlingX security issues. They are responsible for the vulnerability handling and disclosure process.
** TBD
+
 
 +
See https://wiki.openstack.org/wiki/StarlingX/Security/Vulnerability_Management
 +
 
 +
=== Banned C-Function Policy ===
 +
The StarlingX Vulnerability Management team is recommending limiting the use of certain c functions given that they are prone to introducing security issues.  The page below outlines the current policy:
 +
 
 +
See https://wiki.openstack.org/wiki/StarlingX/Security/Banned_C_Functions
 +
 
 +
=== Ongoing CVE Maintenance Policy ===
 +
The StarlingX Vulnerability Management team is promoting ongoing security maintenance for StarlingX including CVE Analysis and Support. 
 +
The current policy is outlined at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy
  
=== Story Board Tags ===
+
StarlingX uses "vuls" (https://vuls.io/) for CVE scanning. The detailed scanning procedure is documented at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Scanning_Procedure
All story board stories created for this team should use the tag "'''stx.security'''".
 
  
=== Team Work Items ===
+
=== How to report security issues to StarlingX ===
* All
+
If you think you’ve identified a vulnerability, please work with us to rectify and disclose the issue responsibly.  By default, StarlingX considers all issues private until they have been triaged by the StarlingX Vulnerability Management Team.  We provide two ways to report issues to the StarlingX VMT depending on how sensitive the issue is:
** [https://storyboard.openstack.org/#!/story/list?status=active&tags=stx.security&project_group_id=86 Active]  
+
# Open the [https://bugs.launchpad.net/starlingx StarlingX bug tracking page] and click the [https://bugs.launchpad.net/starlingx/+filebug ‘Report a bug’] link at the top right of the page.
** [https://storyboard.openstack.org/#!/story/list?status=merged&tags=stx.security&project_group_id=86 Merged]
+
## “Launchpad Web Page” get back with “Report a bug --> Summary:” text field. Please describe the bug in a few words (include the CVE# if there is one)
* stx.2018.10
+
##* Click “Next” button.
** [https://storyboard.openstack.org/#!/story/list?status=active&tags=stx.security&tags=stx.2018.10&project_group_id=86 stx.2018.10 stx.2018.10 Active Items]
+
##** “Launchpad Web Page” should come back with “Further information:” text field.
** [https://storyboard.openstack.org/#!/story/list?status=merged&tags=stx.security&tags=stx.2018.10&project_group_id=86 stx.2018.10 stx.2018.10 Merged Items]
+
##** Please take a look if similar bugs were identified by “Launchpad Web Page” to avoid duplicate bugs.
 +
##* Please go to [https://wiki.openstack.org/wiki/StarlingX/BugTemplate Starlingx bug reporting guidelines] and use the template suggested.
 +
##** If you are reporting an existing CVE, please provide the CVE#, Vector (CVSSv2), Description, Link to NVD DB, Link to CentOS/RHEL bug (if applicable), CentOS Package version which includes the fix (if available)
 +
##* Go to the bottom of the page where it says "This bug contains information that is:"
 +
##** Select "Public Security" if there is no embargo/sensitivity around the reported issue (ex: reporting a public CVE in an open-source package)
 +
##** Select "Private Security" if the issue is considered embargoed/sensitive. Only use this option if absolutely necessary.
 +
##* Click under “Extra Options” arrow.
 +
##** Add “stx.security” TAG.
 +
##** Please add attachments to help development team to troubleshoot the bug.
 +
##* Click “Submit Bug Report” button.
 +
## Optional: Once the bug is created, please go to “Other bug subscribers” at the right side frame.
 +
##* Left click on “+ Subscribe someone else” link and you should get a “Subscribe someone else” pop up search window.
 +
##* Please add the following users:
 +
##** Ghada Khalil (gkhalil) - WR
 +
##** Yue Tao (wrytao) - WR
 +
##* Link the CVE# if applicable using the "Link to CVE" option on the right hand side
 +
# If the issue is extremely sensitive or you’re otherwise unable to use the bug tracker directly, please send an e-mail message to the Security Team’s members:
 +
#*Ghada Khalil <[mailto:Ghada.Khalil@windriver.com Ghada.Khalil@windriver.com]>
 +
#*Yue Tao <[mailto:yue.tao@windriver.com yue.tao@windriver.com]>
  
* The Etherpad that contains a previous version of the Story list (now mostly obsolete) is [https://ethercalc.openstack.org/fo49gw7kt2ee here].
+
=== Team Objective / Priorities ===
 +
* Responsible for work items related StarlingX security
  
* ToDo:
+
=== Tags ===
** Evaluate [https://www.bleepingcomputer.com/news/security/researchers-detail-new-cpu-side-channel-attack-named-spectrersb/ this report] and create Stories to address it (if needed).
+
All story board stories and launchpad bugs created for this team should use the tag "'''stx.security'''".
** Address issues raised in the Intel internal SAFE review
 
  
=== Status ===
+
=== Team Work Items ===
* Capture status - what's the cadence? weekly?
+
* Story Board
* 2018/08/06:
+
** All
* 2018/08/13:
+
*** [https://storyboard.openstack.org/#!/story/list?status=active&tags=stx.security&project_group_id=86 Active Stories]
 +
*** [https://storyboard.openstack.org/#!/story/list?status=merged&tags=stx.security&project_group_id=86 Merged Stories]
 +
* Launchpad Bugs
 +
** All
 +
*** [https://bugs.launchpad.net/starlingx/+bugs?field.tag=stx.security Open Bugs]
 +
*** [https://bugs.launchpad.net/starlingx/+bugs?field.searchtext=&orderby=-importance&field.status%3Alist=FIXRELEASED&assignee_option=any&field.assignee=&field.bug_reporter=&field.bug_commenter=&field.subscriber=&field.structural_subscriber=&field.tag=stx.security&field.tags_combinator=ANY&field.has_cve.used=&field.omit_dupes.used=&field.omit_dupes=on&field.affects_me.used=&field.has_patch.used=&field.has_branches.used=&field.has_branches=on&field.has_no_branches.used=&field.has_no_branches=on&field.has_blueprints.used=&field.has_blueprints=on&field.has_no_blueprints.used=&field.has_no_blueprints=on&search=Search Fixed Bugs]

Latest revision as of 00:41, 21 October 2022

StarlingX Security Sub-project

Vulnerability Management Team Information

Team Operations

The Security/Vulnerability Management Team meets bi-weekly on Mondays to discuss ongoing security issues. These meetings are currently private. If you wish to join these meetings, please send your request to Ghada Khalil.

Vulnerability Management Process

The StarlingX Vulnerability Management team is the first point of contact for StarlingX security issues. They are responsible for the vulnerability handling and disclosure process.

See https://wiki.openstack.org/wiki/StarlingX/Security/Vulnerability_Management

Banned C-Function Policy

The StarlingX Vulnerability Management team is recommending limiting the use of certain c functions given that they are prone to introducing security issues. The page below outlines the current policy:

See https://wiki.openstack.org/wiki/StarlingX/Security/Banned_C_Functions

Ongoing CVE Maintenance Policy

The StarlingX Vulnerability Management team is promoting ongoing security maintenance for StarlingX including CVE Analysis and Support. The current policy is outlined at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Support_Policy

StarlingX uses "vuls" (https://vuls.io/) for CVE scanning. The detailed scanning procedure is documented at: https://wiki.openstack.org/wiki/StarlingX/Security/CVE_Scanning_Procedure

How to report security issues to StarlingX

If you think you’ve identified a vulnerability, please work with us to rectify and disclose the issue responsibly. By default, StarlingX considers all issues private until they have been triaged by the StarlingX Vulnerability Management Team. We provide two ways to report issues to the StarlingX VMT depending on how sensitive the issue is:

  1. Open the StarlingX bug tracking page and click the ‘Report a bug’ link at the top right of the page.
    1. “Launchpad Web Page” get back with “Report a bug --> Summary:” text field. Please describe the bug in a few words (include the CVE# if there is one)
      • Click “Next” button.
        • “Launchpad Web Page” should come back with “Further information:” text field.
        • Please take a look if similar bugs were identified by “Launchpad Web Page” to avoid duplicate bugs.
      • Please go to Starlingx bug reporting guidelines and use the template suggested.
        • If you are reporting an existing CVE, please provide the CVE#, Vector (CVSSv2), Description, Link to NVD DB, Link to CentOS/RHEL bug (if applicable), CentOS Package version which includes the fix (if available)
      • Go to the bottom of the page where it says "This bug contains information that is:"
        • Select "Public Security" if there is no embargo/sensitivity around the reported issue (ex: reporting a public CVE in an open-source package)
        • Select "Private Security" if the issue is considered embargoed/sensitive. Only use this option if absolutely necessary.
      • Click under “Extra Options” arrow.
        • Add “stx.security” TAG.
        • Please add attachments to help development team to troubleshoot the bug.
      • Click “Submit Bug Report” button.
    2. Optional: Once the bug is created, please go to “Other bug subscribers” at the right side frame.
      • Left click on “+ Subscribe someone else” link and you should get a “Subscribe someone else” pop up search window.
      • Please add the following users:
        • Ghada Khalil (gkhalil) - WR
        • Yue Tao (wrytao) - WR
      • Link the CVE# if applicable using the "Link to CVE" option on the right hand side
  2. If the issue is extremely sensitive or you’re otherwise unable to use the bug tracker directly, please send an e-mail message to the Security Team’s members:

Team Objective / Priorities

  • Responsible for work items related StarlingX security

Tags

All story board stories and launchpad bugs created for this team should use the tag "stx.security".

Team Work Items