This talk aims to let interested users in on the work of being a responsible vendor in the open source security world. It will have a particular focus on Plone, but will be applicable to anyone issuing public fixes for open source code.
2. Who am I
Zope/Plone since 2004
Plone security team leader
Former FWT member
2013 board member
sprints, conferences, etc
Python security at The Code Distillery
10. Workflow
1. Receive notification
2. Add to issue tracker and reply
3. Confirm bug exists
4. Find related problems
5. Request CVE
6. Write hotfix
11. Workflow
7. Test on supported versions
8. Release hotfix
9. Provide notes to oss-security
10. Receive allocated CVE
11. Update plone.org with CVE ids
12. Vulnerability shows on NVD
13. The MITRE Corporation
CVE
“ CVE's common identifiers enable data
exchange between security products and provide a
baseline index point for evaluating coverage of tools
and services.
14. Steve Christey, MITRE
CVE
‘ In reality, all of the large vulnerability databases
may have missed published vulnerabilities in the
product …. We routinely see this.
15. National Vulnerability Database
CVE
‘ Summary for CVE-2011-0720: Unspecified
vulnerability in Plone 2.5 through 4.0, allows remote
attackers to obtain administrative access.
16. Not all equal
Can MERGE under certain circumstances
Have to fight for more
Many vulns never have one assigned
17. Why use CVE?
We're expected to
Lets us influence what people say about us
You can google the number
19. What is CVSSv2?
A systematic way of assigning severity
Three sections: Base, Temporal,
Environmental
Our job to provide Base scores
Users can apply the Temporal and
Environmental scores
20. Comparing CVSSv2s
Sometimes vendors release temporal scores
not base
Very few vendors publish the vectors
Vendors often disagree with researchers
Not all options always apply
21. CVSSv2 for companies
Temporal scores let us scale scores over the
lifecycle of the bug
Environmental scores let you weight scores
according to your business goals
22. Why use CVSSv2?
Lets us influence what people say about us
Easier to form policies about what things are
urgent
We can make stats!
33. CVE-2013-4196
No gain information?
‘ Multiple information exposure flaws were
found in the way object manager implementation of
Plone, a user friendly and powerful content
management system, protected access to its internal
methods.
34. CVE-2012-5505
No gain information?
‘ On some content types an anonymous view
lookup returns a private data structure, which under
certain circumstances may be used to read out
confidential data.
37. Open Source Vulnerability Database
Collaborative
databases?
‘ Use of the OSVDB, and/or API in a commercial
atmosphere requires a license from OSF or a
commercial partner of our designation. Failure to
obtain a license for such use will result in account
termination and legal action as necessary.
38. Kurt Seifried, RedHat
SPOF
‘ Remember this is supposed to be basically a
small side part of my job at Red Hat and I sometimes
get slammed and grumpy =)
39. Recommendations
1. A wiki type vulnerability database
2. Freely available vulnerability ids
3. Direct editing access for vendors
4. Open data