Create a standard for the security of iaas service software #765
Conversation
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
|
We discussed today in the IaaS meeting, how to proceed.
This means I will rename the issue/PR and standard and will discard work on the tests, because the presence of security patches will not be easily testable. |
…XXXX-v1-security-of-iaas-service-software.md Signed-off-by: josephineSei <[email protected]>
josephineSei
changed the title
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
| Whenever there are new vulnerabilities discovered in IaaS service software like OpenStack there is either an internal discussion ongoing or it is just a smaller issue. | ||
| In the first case CSPs should have someone following such discussions and may even help preparing and testing patches. | ||
| From the moment on the vulnerability is announced it will be used by attackers. | ||
| So CSPs MUST watch out for announcements like in the OSSAs and OSSNs and when they are affected, update their deployment as soon as possible. |
There was a problem hiding this comment.
Should we maybe consider cases here where vulnerabilities are not applicable to certain deployments? E.g. vulnerability concerns storage backend driver A whereas CSP is exclusively using storage backend driver B.
In such case, the update would not be a MUST for the CSP, in my opinion.
We should maybe put a preceeding step here to instruct the CSP to do an analysis first ASAP whether they are affected and if ...
- ... they are affected, they MUST apply the update and report having done so to SCS
- ... they are not affected, they MAY apply the update but MUST report a reasoning why they are not affected to SCS
|
Good first draft! I added some minor spelling/phrasing correction suggestions and some questions.
No. 1 needs to be a sweet spot between giving CSPs enough room to implement/test and being strict enough to ensure security in a meaningful way. Regarding no. 2 we maybe could be a bit more precise or provide a template. Unless I have missed something this could currently range from hand-written letters to SBOM XML files that are gigabytes in size which no human can look through in a timely manner. |
Co-authored-by: Markus Hentsch <[email protected]> Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
Signed-off-by: josephineSei <[email protected]>
|
|
||
| ## Standard for a minimum IaaS Layer Software version | ||
|
|
||
| If a deployment is affected by a security issue and a maintained[^1] version of OpenStack is used as implementation for IaaS Layer software, security patches noted in OSSNs and OSSAs MUST be integrated within a reasonable timeframe. |
There was a problem hiding this comment.
What is a reasonable time? IMO, standard should be explicit here in order to guide CSPs.
How does customers know, whether or not a specific bug is fixed? Do we "force" CSPs to document software version/patch version somewhere?
There was a problem hiding this comment.
I can only propose a timeframe, but this need to be discussed with CSPs. I think i will attend the lean operator coffee next monday to ask for their opinion.
| If a deployment is affected by a security issue and a maintained[^1] version of OpenStack is used as implementation for IaaS Layer software, security patches noted in OSSNs and OSSAs MUST be integrated within a reasonable timeframe. | ||
| Otherwise the CSP MUST implement security bug fixes themself within a reasonable timeframe, when the deplyoment is affected by a security issue. | ||
|
|
||
| In both cases proof of the update MUST be send to the OSBA, so that the compliance will not be revoked. |
There was a problem hiding this comment.
I'm afraid, this will result in a lot of paper work and bureaucracy no one wants to do.
There was a problem hiding this comment.
That really is a problem:
We want to create standards that should be followed. Therefore we need tests.
But future CVEs or OSSNs cannot be known now and may be not easily testable. Should we consider writing a test for each of these vulnerabilities? This might be several tests a year to write, if a test from the outside is possible at all. And those tests might be considered as attacks (I mean they somehow are ;) ) and might trigger responses on the side of CSPs.
So a CSP giving notice about the fixing of a vulnerability, which already implicates, that we need to trust the CSP, could be an option. Maybe - if we already need to trust the CSPs - we may reduce the paper work:
MArkus suggested that there should be some kind of form file, that could be provided. We could do something like:
How did you deal with the vulnerability on your deployment XYZ:
[ ] Deployment was NOT affected, because ....... (e.g. we use another backend)
[ ] Functionality was disabled in the deployment.
[ ] Deployment was updated with a fix for the vulnerability, that .... (e.g. was provided be upstream openstack)
And only require short descriptions like above.
This may even be easier to evaluate in the compliance checker?
There was a problem hiding this comment.
I had a look to this standard, too. IMO the standard should dictate patch time explicitly, such as two weeks. Describing time passed between publishing a patch and applying it, should not be described softly, such as "very soon", "as soon as possible". The standards does not bring any value-added to customers, as everybody interprets these words differently.
Secondly, I'm not convinced of the process a CSP uses to proof a certain vulnerability is fixed. It looks like manual steps are required, which are error-prone and will delay process additionally. I prefer to develop an automatic process, e.g. using digital signatures.
Co-authored-by: anjastrunk <[email protected]> Signed-off-by: josephineSei <[email protected]>
closes #749