-
Notifications
You must be signed in to change notification settings - Fork 821
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Internal security process docs #6960
Internal security process docs #6960
Conversation
* Add fixes on the [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repo | ||
* Get them peer reviewed by posting on security@silverstripe.org with a link to github | ||
* Before release (or release candidate) | ||
* Merge back from [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repos shortly before the release (minimise early disclosure through source code) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At the moment the release and the pushing to the open source branch(es)/tag(s) happen at once. They are tagged and pushed to the open source repos as part of the release process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is more a "at release" rather than "before release".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sweet, changed "shortly before the release" to "at release"
* Assign a unique identifier (see "Acknowledgement and disclosure") | ||
* Respond to issue reporter with this identifier on the same discussion thread (cc security@silverstripe.org). Clarify issue if required. | ||
* If encrypted information is provided, add pass phrases into the SilverStripe Ltd. LastPass account. Keep encrypted documents in Google Drive and only share directly with relevant participants | ||
* Create a draft page under [Open Source > Download > Security Releases](https://www.silverstripe.org/admin/pages/edit/show/794) on silverstripe.org. Describe the issue in a readable way, make the impact clear. Credit the author if applicable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm semi-confident about adding links to our internal CMS pages on a public repo. I'd rather have a redirector page with a canview = admin and a public human urlsegment. (redirectorpage can point to CMS sections).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't exposing anything that you couldn't guess within five seconds without thism ention, so it sounds like you're overthinking this :) If for some reason we change the ID, we'll update the link.
* Clarify who picks up owns the issue resolution | ||
* When developing a fix: | ||
* Add fixes on the [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repo | ||
* Get them peer reviewed by posting on security@silverstripe.org with a link to github |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to add these links to the internal jira; Keep the jira as the central point of management for these issues rather than the mailing list (which you can post to too, but we should be able to see all progress made on the jira ticket).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, I've changed to "with a link to the JIRA issue"
* Before release (or release candidate) | ||
* Merge back from [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repos shortly before the release (minimise early disclosure through source code) | ||
* Send out a note on the pre-announce list with a highlevel description of the issue and impact (usually a copy of the yet unpublished security release page on silverstripe.org) | ||
* Link to silverstripe.org security release page in the changelog. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is done automatically by cow and doesn't need to be a release task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does that work? I want to specifically highlight any security issues at the top of the changelog, and deep link them into the relevant silverstripe.org page. I can't see how cow would pick that up?
* Add a new bug on our [Open Source Security JIRA board](https://silverstripe.atlassian.net/secure/RapidBoard.jspa?rapidView=198&view=detail). Add a link to the [Google Groups](https://groups.google.com/a/silverstripe.com/forum/#!forum/security) discussion thread so it's easy to review follow up messages. | ||
* Clarify who picks up owns the issue resolution | ||
* When developing a fix: | ||
* Add fixes on the [http://github.com/silverstripe-security](http://github.com/silverstripe-security) repo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add
* Ensure that all security commit messages are prefixed with the CVE. E.g. "[ss-2015-001] Fixed invalid XSS"
We use a regexp to trace these security issues. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added
Follow these instructions in sequence as much as possible: | ||
|
||
* When receiving a report: | ||
* Perform initial criticality assessment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
, and ensure that the reporter is given a justification for all issues we classify or demote as non-security vulnerabilities
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
|
||
* When receiving a report: | ||
* Perform initial criticality assessment | ||
* Assign a unique identifier (see "Acknowledgement and disclosure") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
E.g. SS-2017-001
, based on reported year and order reported.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reworded to be a bit clearer (JIRA is the unique source for those), and added
* Respond to issue reporter with this identifier on the same discussion thread (cc security@silverstripe.org). Clarify issue if required. | ||
* If encrypted information is provided, add pass phrases into the SilverStripe Ltd. LastPass account. Keep encrypted documents in Google Drive and only share directly with relevant participants | ||
* Create a draft page under [Open Source > Download > Security Releases](https://www.silverstripe.org/admin/pages/edit/show/794) on silverstripe.org. Describe the issue in a readable way, make the impact clear. Credit the author if applicable. | ||
* Add a new bug on our [Open Source Security JIRA board](https://silverstripe.atlassian.net/secure/RapidBoard.jspa?rapidView=198&view=detail). Add a link to the [Google Groups](https://groups.google.com/a/silverstripe.com/forum/#!forum/security) discussion thread so it's easy to review follow up messages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might add this higher; All of the above information (e.g. lastpass links, google docs) need to be added to the ticket.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
c89d0a9
to
b137e91
Compare
OK, I've updated this will all the feedback - ready to merge? |
No description provided.