Start using github security advisories

Start using github security advisories

[Joseph Reynolds]

Per today's Security working group meeting, we want to start using 
[GitHub security advisories][].  I think we need someone with admin 
permissions to github.com/openbmc/openbmc to create new advisories. Then 
we'll want a group (team? perhaps security-response-team) with the 
current OpenBMC [security response team][] members.  (I have that list.)

How do we get started?  Who has admin authority?

Joseph


[GitHub security advisories]: 
https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories
[security response team]: 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md

Re: Start using github security advisories

[Andrew Geissler]

> Per today's Security working group meeting, we want to start using [GitHub security advisories][].  I think we need someone with admin permissions to github.com/openbmc/openbmc to create new advisories. Then we'll want a group (team? perhaps security-response-team) with the current OpenBMC [security response team][] members.  (I have that list.)

Looks like you’ll need admin authority on openbmc/openbmc in order to utilize the security advisories feature. I wonder if it’s better to create a openbmc/security repo and we can give you and the security team admin of that repo for this work? This would also provide a potential location to track github issues for the security team.



> On Oct 13, 2021, at 3:56 PM, Joseph Reynolds <jrey@linux.ibm.com> wrote:
> 
> 
> Per today's Security working group meeting, we want to start using [GitHub security advisories][].  I think we need someone with admin permissions to github.com/openbmc/openbmc to create new advisories. Then we'll want a group (team? perhaps security-response-team) with the current OpenBMC [security response team][] members.  (I have that list.)
> 
> How do we get started?  Who has admin authority?
> 
> Joseph
> 
> 
> [GitHub security advisories]: https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories
> [security response team]: https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md
> 

Re: Start using github security advisories

[Brad Bishop]

On Thu, Oct 14, 2021 at 02:12:20PM -0500, Andrew Geissler wrote:
>> Per today's Security working group meeting, we want to start using 
>> [GitHub security advisories][].  I think we need someone with admin 
>> permissions to github.com/openbmc/openbmc to create new advisories. 
>> Then we'll want a group (team? perhaps security-response-team) with 
>> the current OpenBMC [security response team][] members.  (I have that 
>> list.)
>
>Looks like you’ll need admin authority on openbmc/openbmc in order to 
>utilize the security advisories feature. I wonder if it’s better to 
>create a openbmc/security repo and we can give you and the security 
>team admin of that repo for this work? This would also provide a 
>potential location to track github issues for the security team.

This was my thinking as well Andrew.  I'll create 
openbmc/security-response if I don't see any complaints in the next 
little while.

-brad

Re: Start using github security advisories

[Bruce Mitchell]

On 10/18/2021 11:49, Brad Bishop wrote:
> On Thu, Oct 14, 2021 at 02:12:20PM -0500, Andrew Geissler wrote:
>>> Per today's Security working group meeting, we want to start using 
>>> [GitHub security advisories][].  I think we need someone with admin 
>>> permissions to github.com/openbmc/openbmc to create new advisories. 
>>> Then we'll want a group (team? perhaps security-response-team) with 
>>> the current OpenBMC [security response team][] members.  (I have that 
>>> list.)
>>
>> Looks like you’ll need admin authority on openbmc/openbmc in order to 
>> utilize the security advisories feature. I wonder if it’s better to 
>> create a openbmc/security repo and we can give you and the security 
>> team admin of that repo for this work? This would also provide a 
>> potential location to track github issues for the security team.
> 
> This was my thinking as well Andrew.  I'll create 
> openbmc/security-response if I don't see any complaints in the next 
> little while.
> 
> -brad

I believe we want to make sure that none of security advisories
get sent to Discord, wouldn't want to accidentally be going to
something like #gh-issues.

RE: Start using github security advisories

[Mihm, James]

Brad or Andrew, Can we proceed with the creation of security repository so that we can run a couple of trials on security issues?

I think it's important that we are able to meet the following criteria using a github repo with restricted access. 

a) individual security issues can be restricted using access control lists without granting global access to all security issues.
b) individual security issues can be linked to private code reviews and discussions without leaking information beyond those with a need to know.

Regards, James.

>-----Original Message-----
>From: openbmc <openbmc-
>bounces+james.mihm=intel.com@lists.ozlabs.org> On Behalf Of Bruce
>Mitchell
>Sent: Monday, October 18, 2021 12:06 PM
>To: Brad Bishop <bradleyb@fuzziesquirrel.com>; Andrew Geissler
><geissonator@gmail.com>
>Cc: openbmc <openbmc@lists.ozlabs.org>; Joseph Reynolds
><jrey@linux.ibm.com>
>Subject: Re: Start using github security advisories
>
>On 10/18/2021 11:49, Brad Bishop wrote:
>> On Thu, Oct 14, 2021 at 02:12:20PM -0500, Andrew Geissler wrote:
>>>> Per today's Security working group meeting, we want to start using
>>>> [GitHub security advisories][].  I think we need someone with admin
>>>> permissions to github.com/openbmc/openbmc to create new advisories.
>>>> Then we'll want a group (team? perhaps security-response-team) with
>>>> the current OpenBMC [security response team][] members.  (I have that
>>>> list.)
>>>
>>> Looks like you’ll need admin authority on openbmc/openbmc in order to
>>> utilize the security advisories feature. I wonder if it’s better to
>>> create a openbmc/security repo and we can give you and the security
>>> team admin of that repo for this work? This would also provide a
>>> potential location to track github issues for the security team.
>>
>> This was my thinking as well Andrew.  I'll create
>> openbmc/security-response if I don't see any complaints in the next
>> little while.
>>
>> -brad
>
>I believe we want to make sure that none of security advisories
>get sent to Discord, wouldn't want to accidentally be going to
>something like #gh-issues.

Re: Start using github security advisories

[Brad Bishop]

On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote:
> Brad or Andrew, Can we proceed with the creation of security
> repository so that we can run a couple of trials on security issues?

Hi James, thanks for the ping.

The only reason I haven't already done this was this comment from Bruce:

> > 
> > I believe we want to make sure that none of security advisories
> > get sent to Discord, wouldn't want to accidentally be going to
> > something like #gh-issues.

This was a good point and I'm not sure what to do about it.

-brad

Re: Start using github security advisories

[Brad Bishop]

On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote:
> On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote:
> > Brad or Andrew, Can we proceed with the creation of security
> > repository so that we can run a couple of trials on security issues?
> 
> Hi James, thanks for the ping.
> 
> The only reason I haven't already done this was this comment from
> Bruce:
> 
> > > 
> > > I believe we want to make sure that none of security advisories
> > > get sent to Discord, wouldn't want to accidentally be going to
> > > something like #gh-issues.
> 
> This was a good point and I'm not sure what to do about it.

Hi James

I created the security-reponse github group and the security-response
repo just now and made it private.  Please do some testing and make sure
issues don't find their way into #gh-issues on Discord.

thx - brad

Re: Start using github security advisories

[Joseph Reynolds]

On 10/27/21 2:42 PM, Brad Bishop wrote:
> On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote:
>> On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote:
>>> Brad or Andrew, Can we proceed with the creation of security
>>> repository so that we can run a couple of trials on security issues?
>> Hi James, thanks for the ping.
>>
>> The only reason I haven't already done this was this comment from
>> Bruce:
>>
>>>> I believe we want to make sure that none of security advisories
>>>> get sent to Discord, wouldn't want to accidentally be going to
>>>> something like #gh-issues.
>> This was a good point and I'm not sure what to do about it.
> Hi James
>
> I created the security-reponse github group and the security-response
> repo just now and made it private.  Please do some testing and make sure
> issues don't find their way into #gh-issues on Discord.
>
> thx - brad

Thanks Brad!

The plan is to write the first issues from real-live but low-severity  
problems which are also common knowledge within the openBMC community.  
Meaning: there will be minimal harm if the problem is disclosed.

- Joseph

Re: Start using github security advisories

[Patrick Williams]

[-- Attachment #1: Type: text/plain, Size: 2454 bytes --]

On Thu, Oct 28, 2021 at 08:31:37AM -0500, Joseph Reynolds wrote:
> On 10/27/21 2:42 PM, Brad Bishop wrote:
> > On Wed, 2021-10-27 at 15:29 -0400, Brad Bishop wrote:
> >> On Wed, 2021-10-27 at 18:29 +0000, Mihm, James wrote:
> >>> Brad or Andrew, Can we proceed with the creation of security
> >>> repository so that we can run a couple of trials on security issues?
> >> Hi James, thanks for the ping.
> >>
> >> The only reason I haven't already done this was this comment from
> >> Bruce:
> >>
> >>>> I believe we want to make sure that none of security advisories
> >>>> get sent to Discord, wouldn't want to accidentally be going to
> >>>> something like #gh-issues.
> >> This was a good point and I'm not sure what to do about it.
> > Hi James
> >
> > I created the security-reponse github group and the security-response
> > repo just now and made it private.  Please do some testing and make sure
> > issues don't find their way into #gh-issues on Discord.
> >
> > thx - brad
> 
> Thanks Brad!
> 
> The plan is to write the first issues from real-live but low-severity  
> problems which are also common knowledge within the openBMC community.  
> Meaning: there will be minimal harm if the problem is disclosed.
> 
> - Joseph

I want to reiterate three things:

    1. In Github, security advisories are different from issues.  Security
       advisories are suppose to be able to be collaborated on in private
       without the repository itself being private.  Only when you are ready to
       reveal the security advisory can you switch it to be public.

    2. We have two webhooks for Discord now: one for issues and one for code
       changes.  Security advisories are not currently covered.  If you make an
       issue in a public repository anyone can see it, even if it isn't covered
       by a Discord webhook, so "limiting the awareness by avoiding the Discord
       webhook" isn't really what you want anyhow.  You need to make sure the
       information you want to be kept private is private (and again security
       advisories are suppose to be the way to do that).

    3. Having a private repository means you cannot report any security
       advisories (or issues) in a public way.  Today if someone goes to
       https://github.com/openbmc/security-response they get a 404 (unless they
       have explicit access to the private repository).

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Start using github security advisories

[Joseph Reynolds]

On 10/28/21 8:43 AM, Patrick Williams wrote:
> ...snip...
> I want to reiterate three things:
>
>      1. In Github, security advisories are different from issues.  Security
>         advisories are suppose to be able to be collaborated on in private
>         without the repository itself being private.  Only when you are ready to
>         reveal the security advisory can you switch it to be public.

That matches my understanding.  The entire openbmc/security-response 
repo will be private to the OpenBMC security response team.
In this repo we will:
A. Track reported vulnerabilities under openbmc/security-response/issues.
B. Work on draft security advisories.

We don't have the exact workflow worked out.  I was thinking we could 
publish the security advisories under openbmc/openbmc/security.


Security advisory notes:
- The term "security advisory" as used here means the public 
announcement of a security vulnerability together with a mitigation 
(such as a fix or a workaround).  The OpenBMC security response team 
works on the security advisory in private, and then publishes these 
advisories when ready.  See the [guidelines][].
- IBM X-Force collects "security advisories" from all sources and 
publishes "security advisories" which it calls "security bulletins".  
The main distinction is advisories are input to the process, and 
bulletins are output.


[guidelines]: 
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md

>      2. We have two webhooks for Discord now: one for issues and one for code
>         changes.  Security advisories are not currently covered.  If you make an
>         issue in a public repository anyone can see it, even if it isn't covered
>         by a Discord webhook, so "limiting the awareness by avoiding the Discord
>         webhook" isn't really what you want anyhow.  You need to make sure the
>         information you want to be kept private is private (and again security
>         advisories are suppose to be the way to do that).

We plan to test the confidentiality of the openbmc/security-response 
repo with respect to discord.

>      3. Having a private repository means you cannot report any security
>         advisories (or issues) in a public way.  Today if someone goes to
>         https://github.com/openbmc/security-response they get a 404 (unless they
>         have explicit access to the private repository).

I was thinking we could publish the security advisories under 
openbmc/openbmc/security.
We are still trying to figure out the workflow.