-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a standard for the security of iaas service software #765
Conversation
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
We discussed today in the IaaS meeting, how to proceed.
This means I will rename the issue/PR and standard and will discard work on the tests, because the presence of security patches will not be easily testable. |
…XXXX-v1-security-of-iaas-service-software.md Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Whenever there are new vulnerabilities discovered in IaaS service software like OpenStack there is either an internal discussion ongoing or it is just a smaller issue. | ||
In the first case CSPs should have someone following such discussions and may even help preparing and testing patches. | ||
From the moment on the vulnerability is announced it will be used by attackers. | ||
So CSPs MUST watch out for announcements like in the OSSAs and OSSNs and when they are affected, update their deployment as soon as possible. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we maybe consider cases here where vulnerabilities are not applicable to certain deployments? E.g. vulnerability concerns storage backend driver A whereas CSP is exclusively using storage backend driver B.
In such case, the update would not be a MUST for the CSP, in my opinion.
We should maybe put a preceeding step here to instruct the CSP to do an analysis first ASAP whether they are affected and if ...
- ... they are affected, they MUST apply the update and report having done so to SCS
- ... they are not affected, they MAY apply the update but MUST report a reasoning why they are not affected to SCS
Good first draft! I added some minor spelling/phrasing correction suggestions and some questions.
No. 1 needs to be a sweet spot between giving CSPs enough room to implement/test and being strict enough to ensure security in a meaningful way. Regarding no. 2 we maybe could be a bit more precise or provide a template. Unless I have missed something this could currently range from hand-written letters to SBOM XML files that are gigabytes in size which no human can look through in a timely manner. |
Co-authored-by: Markus Hentsch <[email protected]> Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
If a deployment is affected by a security issue and a maintained[^1] version of OpenStack is used as implementation for IaaS Layer software, security patches noted in OSSNs and OSSAs MUST be integrated within a reasonable timeframe. | ||
Otherwise the CSP MUST implement security bug fixes themself within a reasonable timeframe, when the deplyoment is affected by a security issue. | ||
|
||
In both cases proof of the update MUST be send to the OSBA, so that the compliance will not be revoked. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm afraid, this will result in a lot of paper work and bureaucracy no one wants to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That really is a problem:
We want to create standards that should be followed. Therefore we need tests.
But future CVEs or OSSNs cannot be known now and may be not easily testable. Should we consider writing a test for each of these vulnerabilities? This might be several tests a year to write, if a test from the outside is possible at all. And those tests might be considered as attacks (I mean they somehow are ;) ) and might trigger responses on the side of CSPs.
So a CSP giving notice about the fixing of a vulnerability, which already implicates, that we need to trust the CSP, could be an option. Maybe - if we already need to trust the CSPs - we may reduce the paper work:
MArkus suggested that there should be some kind of form file, that could be provided. We could do something like:
How did you deal with the vulnerability on your deployment XYZ:
[ ] Deployment was NOT affected, because ....... (e.g. we use another backend)
[ ] Functionality was disabled in the deployment.
[ ] Deployment was updated with a fix for the vulnerability, that .... (e.g. was provided be upstream openstack)
And only require short descriptions like above.
This may even be easier to evaluate in the compliance checker?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point @josephineSei and agree with @markus-hentsch. A form file could be a good trade-off. In fact, the file could be publicly available and evaluated automatically, which reduces paper-work. Assuming, we do not have any evil CSP (which will be recognizes sooner or later anyway ;)), I am fine with this approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a look to this standard, too. IMO the standard should dictate patch time explicitly, such as two weeks. Describing time passed between publishing a patch and applying it, should not be described softly, such as "very soon", "as soon as possible". The standards does not bring any value-added to customers, as everybody interprets these words differently.
Secondly, I'm not convinced of the process a CSP uses to proof a certain vulnerability is fixed. It looks like manual steps are required, which are error-prone and will delay process additionally. I prefer to develop an automatic process, e.g. using digital signatures.
Co-authored-by: anjastrunk <[email protected]> Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
For now I just want to comment on something I don't see explained or discussed neither in the proposal nor in any of the current commentary: This standard - in it's current form - talks broadly about "(the) software" comprising the IaaS layer, and I assume this mostly is meant to mean Openstack software. However I would find it important that we clarify this, because a typical IaaS Deployment is comprised of the following - very much different - software layers, especially when it comes to security updates.
So I think it is important to at least distinguish which software from the above list the CSP should patch. If the answer to this is: "all of it" then we must be clear that only a tiny fraction of it is covered by openinfra security processes! e.g. even direct dependencies of core openstack services are actually not monitored by openinfra for security issues if these are not developed under the openinfra umbrella! of course, if issues are reported these are fixed, but e.g. the requirements files listing tested versions which are known to work with various openstack services are no indicator that these releases are secure! So I think this is important to highlight to the user. So imho we should keep in mind that CSPs need to monitor way more than just OSSA announcements if they want to be secure. Thanks |
Indeed this standard should be applied on the IaaS Level, meaning all services with user-accesible APIs on that layer (this includes OpenStack and S3 if used). Nevertheless we definitely should talk about security on all layers from Metal to KaaS. We may discuss this in the IAM call next week. But I think putting all of it into a single standard may be too complex?
This is a good point that needs to be integrated into the standard regardless of how detailed the standard itself is.
Thank you for your feedback. I will integrate the focus on dependencies that are not monitored by OpenStack. For the rest I think we should discuss, whether this standard should have a very broad scope or just focus on the IaaS Layer. When we decide for the latter, we will most likely need standards for the other layers too. |
@anjastrunk and I discussed @artificial-intelligence comment. @artificial-intelligence I hope this reflects your concerns. This would also narrow done the scope of this PR to exactly the IaaS Layer and dependencies of it. |
Signed-off-by: josephineSei <[email protected]>
@Adri2000 @neuroserve @matfechner please review this - I think it is important that the view from CSPs is incorporated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added some minor suggestions to the standard text.
Co-authored-by: Markus Hentsch <[email protected]> Signed-off-by: josephineSei <[email protected]>
Co-authored-by: Markus Hentsch <[email protected]> Signed-off-by: josephineSei <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is in a very good shape for a draft now. Any open points such as the exact manner of providing proof of applied security fixes or applicable SBOM formats can be discussed with the community once this draft lands in main, in my opinion.
closes #749