← Back to team overview

openstack team mailing list archive

Vulnerability Management concerns: negativity & count

 

ttx's update on the SEO, information architecture, and technical
documentation issue(s) described in my email "OpenStack Security
Group", 23 Nov 2011,
https://lists.launchpad.net/openstack/msg05646.html has made my day.
With the holiday today in the US, and knowing that our US peers would
likely need to provide coverage for them, I didn't expect momentum on
this until some time next week. Thank you Thierry!

So with that ball excellerating thanks to Thierry's, and I'm sure
other's hard work, I've turned my attention to explore this emotive
topic further -- again, once the external optics and high level best
practices look good to me, or more likely I understand the thinking
behind the equally excellent OpenStack practices, I'll be trying to
stay away from security -- I've already shortened my life too much
from past experiences :-D

So looking at the actual Vulnerability Management team document,
http://wiki.openstack.org/VulnerabilityManagement , I see the result
of thoughtful, fantastic collaboration!


I do have a couple of serious concerns:

A. As my former boss, as of this week, Matt Mullenweg [1] would so
often remind us, "don't be so negative" -- he literally reminded my
VIP Services sub-team of that last week -- it's natural when you are
deep in the trenches. Instead use "Words that Work". [2]

Every sentence in the first paragraph is dripping with negativity
- "will not give prior notice to their employer"
- "not about getting advance notice"
- "reduce the disclosure of vulnerability in the early stages"

What I hear when I read that is that we have the most serious issues
of professionalism among us -- crazy, embarrassing issues! That I've
just jumped into a nest of vipers -- Josh and Chris didn't say
anything about my impending death when they got me to join!
Thankfully, I very much doubt this is the reality! -- it wasn't at the
meetup I was at last night.

So is there a non-negative way of articulating this? *once*


A.2 If somehow this language reflects demonstrated reality, we need to
get the relevant parties *physical* in a room this week, and deal with
this! Let's also remember that the most likely "original reporter" is
one of us relevant parties.



B. Maximum of 3 people. This may have caused my heart to skip a beat.
Is there a reference implementation of this? Who's successes are we
emulating?

Having spent 2 years on Mozilla's private security list in a former
life, and five years being party to every WordPress security issue [3]
only 3 people is madness.

Mozilla private security list was (assume still is) open to membership
to anyone that demonstrated value and professionalism. I consider
Daniel Veditz's [1] Mozilla security team a model security citizen,
and consistent and very successful for at least the eight years I've
been been paying attention. [5]


B.2 But let's assume that there is some real reason to hard code the
membership count. Five years working with Automattic's Technical
Operations Lead Barry Abrahamson [5] -- the best in the business --
has impressed upon me through his leadership and actions It some cases
it can only take a few hours of lack of communication to turn a grey
hat [6] into a bad actor. So let's assume all three members are
available at the time the report comes in, one person owns
communication and collaboration with the reporter, and we hope that
both of the other two [7] have the expertise in the vector area to
rapidly assess the impact and pervasiveness, and now you've lost
another person, who works on IMing, email and phoning the area
exports; one is the loneliest number.

I don't want to give anyone my nightmares, but it is seasonal, let's
not forget that a sophisticated black hat is most likely to launch an
attack during a holiday, or when he knows another crisis is being
dealt with. You think only having three people gives favorable odds
that they are going to be available to respond to the first vender who
is investigating this with their panicked business-on--the-line
customer?

Even ignoring that, do three people alone have the stamina to
investigate and deal with *all* the false reports. ;-)



Sorry, if I'm a little worked up here. Too many exclamation marks,
right? I'm just so excited to be working with you guys and gals, and
want us all to really shine. Once again, I'm very impressed with the
Vulnerability Management document, and once these issues are
addressed, we'll be crushing it!


If I should be discussing this elsewhere please let me know, or want
additional context or thoughts please let me know.

Hope that helps,
Lloyd

--

1. http://en.wikipedia.org/wiki/Matt_Mullenweg
2. The best training material ;-) on this as recommend by Matt, and
which I thoroughly aggree with is is Frank I. Luntz, "Words That Work:
It's Not What You Say, It's What People Hear"
3. WordPress security issues are popular with the press ;-)
4. You may know Daniel Veditz as dveditz
5. http://barry.wordpress.com/about/
6. People just want to be taken seriously ;-)
7. It takes two to argue over code, three to  ;-)


Follow ups