Skip to content

Commit

Permalink
What: Initial set of project security resources (cncf#733)
Browse files Browse the repository at this point in the history 
* What: Initial set of project security resources

Why:

* cncf#138 detailed a need for this and was reiterated at a recent mtg.

This change addresses the need by:

* creating a project resources directory
* linking to existing CNCF resources
* pulling in content from @annabellegoth2boss recommendation

* What: fix spelling issues.

* What: correcting the rest of the spelling issues

* What: last two fixes

* What: Updating with GitHub CNA info

Why:

* CNCF/LF is not a CNA because GitHub is a CNA

This change addresses the need by:

* modifying the incident response template to call out the portion of GitHub docs.

* What: Adding dependabot info & maintenance

Why:

* dependabot is a ideal option when enbaled for security updates and configured for versions.

* @lumjjb suggested a maintenance section in the readme and that is always smart.

This change addresses the need by:

* added details to the readme
* testing spelling

* What: adding disclaimer.

* What: Updates per review

Why:

* @lumjjb brought up some valid items
* @jlk correctly pointed out the overuse of the word "issue" and potential confusion

This change addresses the need by:

* added in @lumjjb's suggestions
* swapped `issue` for `problem` where appropriate
* improved readability in README.md for maintenance
* added disclaimer

* What: spelling update

* What: Updates per latest review

Why:

* nits found

This change addresses the need by:

* resolving nits

* What: more nits.
  • Loading branch information
@TheFoxAtWork
TheFoxAtWork committed Aug 3, 2021
1 parent 2618635 commit e1d5fae
Show file tree
Hide file tree
Showing 8 changed files with 354 additions and 2 deletions.
7 changes: 5 additions & 2 deletions ci/spelling-config.json
View file
Expand Up @@ -19,8 +19,11 @@
"explainability",
"APAC",
"spiffe",
"SPIFFE",
"keycloak",
"Keycloak"
"triage",
"triaging",
"triaged",
"exfiltration",
"mitigations"
]
}
76 changes: 76 additions & 0 deletions project-resources/README.md
View file
@@ -0,0 +1,76 @@
# Security resources for projects

This directory is intended to provide CNCF and other open source projects with
resources and templates to assist in kick-starting their security practices. The
templates, guides, and other documents herein assist projects in completion of
the [self-assessment](assessments/guide/self-assessment.md) as well as a few
items in the [CII badging](https://bestpractices.coreinfrastructure.org/en)
process.

A special thank you to [Google's OSS vulnerability guide
folks](https://github.com/google/oss-vulnerability-guide) for making the
Security TAG aware of this collection of resources upon which much of this
content was built on.

* [SECURITY.md](templates/SECURITY)
* draft security file that outlines subscribing to security bulletins, how
to report issues, and supported versions.
* [SECURITY_CONTACTS.md](templates/SECURITY_CONTACTS)
* a draft security contacts file to allow potential issue submitters to know
who they can expect to hear from or how to follow up on issues.
* [ISSUE_TEMPLATE.md](templates/ISSUE_TEMPLATE.md)
* a draft issue template to remind issue submitters that potential
vulnerabilities **do not** get submitted as issues.
* [incident-response.md](templates/incident-response.md)
* a draft, detailed incident response plan that covers how to triage issues,
confirm vulnerabilities, leverage security advisories, and push a
patch/release.
* [embargo-policy.md](templates/embargo-policy.md)
* a draft embargo policy that outlines the time frame and conditions
surrounding disclosures.
* [embargo.md](templates/embargo.md)
* a draft embargo notification that details the contents a notification should
contain.

Disclaimer: These resources are designed to be helpful to projects and
organizations, they require customization and configuration by the project
intending to use them. It does not prevent security issues from being found on a
project, will not automatically resolve them, and does not place CNCF Security
TAG as the responsible party. If changes are made to these templates, projects
are not required to pull in a new update.

## Dependabot Configuration

All public repositories have dependabot graphs and alerts enabled. Projects are
encouraged to also *[enable Dependabot security
updates](https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates)*
and *create a [custom configuration for their
project](https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/enabling-and-disabling-version-updates)*.

## CNCF project templates

In addition to the security resources provided here, [CNCF's TAG Contributor
Strategy](https://github.com/cncf/tag-contributor-strategy/blob/main/README.md)
has put together an [initial project template
collection](https://github.com/cncf/project-template) with information on
getting started.

## Updates to this directory

The project-resources directory is intended to be a living directory to include
a lot of resources and templates any project or community may find useful as
well as making those projects more security aware through simple and
easy-to-adopt documentation. Updates, suggestions for updates, or discussions
for updates should initiate with an
[issue](https://github.com/cncf/tag-security/issues) and labeled with
"suggestion".

### Contributing updates

All members of the community and projects are welcome to contribute updates to
this directory. We ask potential contributors to refer to the existing content
and discussions as guidance when determining the content of their updates.

It is highly recommended that you seek peer review for your updates beyond that
of the Technical Leads and Chairs. More information on contributions to this
repo may be found in the [contributing file](../CONTRIBUTING.md)
26 changes: 26 additions & 0 deletions project-resources/templates/ISSUE_TEMPLATE.md
View file
@@ -0,0 +1,26 @@
<!--
For Security vulnerabilities, please refer to our security page $LINK
-->
# Title

### Summary

<!--
Please provide a brief, high level summary of the issue you are having
-->


### Actual Behavior

<!--
Please describe, in detail, step-by-step what behavior is occurring. Please
include any screenshots or other relevant files to assist in duplicating the
issue.
-->


### Expected Behavior

<!--
Please describe, in detail, step-by-step what you expect to occur.
-->
52 changes: 52 additions & 0 deletions project-resources/templates/SECURITY.md
View file
@@ -0,0 +1,52 @@
# Security policy

## Security bulletins

For information regarding the security of this project please join:

* $SLACK-CHANNEL
* $EMAIL-LIST

You may also subscribe to an RSS feed of the above using $LINK.

## Reporting a vulnerability

Please use the below process to report a vulnerability to the project:

Email:

1. Email the **$NAME**: **$ALIAS**
* Emails should contain:
* description of the problem
* precise and detailed steps (include screenshots) that created the
problem
* the affected version(s)
* any possible mitigations, if known
1. You will receive a reply from one of the maintainers within **$X days**
acknowledging receipt of the email.
1. You may be contacted by a **$PERSON** to further discuss the reported item.
Please bear with us as we seek to understand the breadth and scope of the
reported problem, recreate it, and confirm if there is a vulnerability
present.

Web Form:

1. Please visit **$LINK**
* You will receive a confirmation email upon submission
1. You may be contacted by a **$PERSON** to further discuss the reported item
within **$X days**. Please bear with us as we seek to understand the breadth
and scope of the reported problem, recreate it, and confirm if there is an
vulnerability present.

This project follows a **$X day disclosure timeline**. Refer to our embargo
policy **$LINK** for more information.

## Supported Versions

Information regarding supported versions of this project can be found on
**$LINK** located on the **$WEBSITE** and in the below table:

| Version | Supported |
| --- | --- |
| x.xx.x | :white_check_mark: |
| <=x.xx.x | :x: |
15 changes: 15 additions & 0 deletions project-resources/templates/SECURITY_CONTACTS.md
View file
@@ -0,0 +1,15 @@
# Security Contacts

Defined below are the security persons of contact for this project. If you have
questions regarding the triaging and handling of incoming problems, they may be
contacted.

The following security contacts have agreed to abide by the Embargo Policy $LINK
and will be removed and replaced if found to be in violation of that agreement.

DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, USE THE
INSTRUCTIONS AT $LINK

Security Contacts:

* $NAME: $ALIAS
30 changes: 30 additions & 0 deletions project-resources/templates/embargo-policy.md
View file
@@ -0,0 +1,30 @@
# Embargo Policy

This policy forbids members of this project's security contacts $LINK and others
defined below from sharing information outside of the security contacts and this
listing without need-to-know and advance notice.

The information members and others receive from the list defined below must:

* not be made public,
* not be shared,
* not be hinted at
* must be kept confidential and close held

Except with the list's explicit approval. This holds true until the public
disclosure date/time that was agreed upon by the list.

If information is inadvertently shared beyond what is allowed by this policy,
you are REQUIRED to inform the security contacts $LINK of exactly what
information leaked and to whom. A retrospective will take place after the leak
so we can assess how to not make this mistake in the future.

Violation of this policy will result in the immediate removal and subsequent
replacement of you from this list or the Security Contacts.

## Disclosure Timeline

This project sustains a **$X day disclosure timeline** to ensure we provide a
quality, tested release. On some occasions, we may need to extend this timeline
due to complexity of the problem, lack of expertise available, or other reasons.
Submitters will be notified if an extension occurs.
60 changes: 60 additions & 0 deletions project-resources/templates/embargo.md
View file
@@ -0,0 +1,60 @@
# Notice of Embargo

This is an embargoed notification that a vulnerability has been discovered in
$PROJECT. This notice has been sent to subscribed distributors and service
providers in order to allow for timely patching. You are receiving this
notification as you have agreed to abide by the embargo policy ($LINK) on this
project. Do not forward this information to other parties without complying with
the instructions of the embargo policy.

## Summary

*2-3 sentences describing the vulnerability using technical details. This should
only contain enough information to be able to make a quick determination of what
the vulnerability is about.*

### CVE

#### $CVE-NUMBER

### Versions

#### $VERSION

### Severity - [low, medium, high, critical]

*Provide an attack scenario or other information to explain the risk associated.
Use details gathered from the triage.*

### Proof of Concept

*Provide exact code or command lines in order to offer usable, precise, and
repeatable methods for a subscriber to reproduce the problem and test fixes and
mitigations.*

### Remediation and Mitigation

*Provide information on the known remediation or planned patch. Be sure to list
when it will be available or links to where the patch will be available.*

### Additional information

*If you have additional information to provide, be sure to include it here.*

## Timeline

**Date reported:** DD MMM YYYY
**Date fixed:** DD MMM YYYY
**Date to be disclosed:** DD MMM YYYY

### Public disclosure date: $DATE $TIME $TIMEZONE

**Do not:**

* make this problem public,
* issue communications hinting at or regarding this,
* share this with others,
* issue public patches before the disclosure date

This list will be notified immediately if the disclosure date is at risk or
changes. Questions should be directed to the security contacts $LINK.
90 changes: 90 additions & 0 deletions project-resources/templates/incident-response.md
View file
@@ -0,0 +1,90 @@
# Incident response

This serves to define how potential security issues should be triaged, how
confirmation occurs, providing the notification, and issuing a security advisory
as well as patch/release.

## Triage

### Identify the problem

Triaging problems allows maintainers to focus resources on the most critically
impacting problems. Potential security problems should be evaluated against the
following information:

* Which component(s) of the project is impacted?
* What kind of problem is this?
* privilege escalation
* credential access
* code execution
* exfiltration
* lateral movement
* $CONTEXT_SPECIFIC_ISSUE
* How complex is the problem?
* Is user interaction required?
* What privileges are required for this problem to occur?
* admin
* general
* $CONTEXT_SPECIFIC_PRIVILEGE
* What is the potential impact or consequence of the problem?
* Does an exploit exist?

Any potential problem that has an exploit, permits privilege escalation, is
simple, and does not require user interaction should be evaluated immediately.
[CVSS Version 3.1](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) can be
a helpful tool in evaluating the criticality of reported problems.

### Acknowledge receipt of the problem

Respond to the reporter and notify them you have received the problem and have
begun reviewing it. Remind them of the embargo policy, and provide them
information on who to contact/follow-up with if they have questions. Estimate a
time frame that they can expect to receive an update on the problem. Create a
calendar reminder to contact them again by that date to provide an update.

### Replicate the problem

Follow the instructions relayed in the problem. If the instructions are
insufficient, contact the reporter and ask for more information.

If the problem cannot be replicated, re-engage the reporter, let them know it
cannot be replicated, and work with them to find a remediation.

If the problem can be replicated, re-evaluate the criticality of the problem, and
begin working on a remediation. Begin a draft security advisory.

Notify the reporter you were able to replicate the problem and have begun working
on a fix. Remind them of the embargo policy. If necessary, notify them of an
extension (only for very complex problems where remediation cannot be issued
within the project's specified window).

#### Request a CVE number

If a CVE has already been provided, be sure to include it on the advisory. If
one has not yet been created, [GitHub functions as a
CNA](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories#cve-identification-numbers)
and allows you to request one as part of the security advisory process. Provide
all required information and as much optional information as we can. The CVE
number is shown as reserved with no further details until notified it has been
published.

## Notification

Once the problem has been replicated and a remediation is in place, notify
subscribed parties with a security bulletin and the expected publishing date.

## Publish and release

Once a CVE number has been assigned, publish and release the updated
version/patch. Be sure to notify the CVE group when published so the CVE details
are searchable. Be sure to give credit to the reporter by *[editing the security
advisory](https://docs.github.com/en/github/managing-security-vulnerabilities/editing-a-security-advisory#about-credits-for-security-advisories)*
as they took the time to notify and work with you on the problem!

### Issue a security advisory

Follow the instructions from [GitHub to publish the security advisory previously
drafted](https://docs.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory).

For more information on security advisories, please refer to the [GitHub
Article](https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories).

0 comments on commit e1d5fae

Please sign in to comment.