Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a standard for the security of iaas service software #765
base: main
Are you sure you want to change the base?
Create a standard for the security of iaas service software #765
Changes from 13 commits
dc34cee
913a775
a2a2168
7417a30
1f28f0a
356c603
94c3c2c
a3c796c
60c7d61
a114d75
5278e77
989cd0e
ddcaafa
384078c
1e10423
7d58189
447a569
e7a4ba0
e4e9d8e
9d93a30
d136bba
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm afraid, this will result in a lot of paper work and bureaucracy no one wants to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That really is a problem:
We want to create standards that should be followed. Therefore we need tests.
But future CVEs or OSSNs cannot be known now and may be not easily testable. Should we consider writing a test for each of these vulnerabilities? This might be several tests a year to write, if a test from the outside is possible at all. And those tests might be considered as attacks (I mean they somehow are ;) ) and might trigger responses on the side of CSPs.
So a CSP giving notice about the fixing of a vulnerability, which already implicates, that we need to trust the CSP, could be an option. Maybe - if we already need to trust the CSPs - we may reduce the paper work:
MArkus suggested that there should be some kind of form file, that could be provided. We could do something like:
And only require short descriptions like above.
This may even be easier to evaluate in the compliance checker?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see your point @josephineSei and agree with @markus-hentsch. A form file could be a good trade-off. In fact, the file could be publicly available and evaluated automatically, which reduces paper-work. Assuming, we do not have any evil CSP (which will be recognizes sooner or later anyway ;)), I am fine with this approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we maybe consider cases here where vulnerabilities are not applicable to certain deployments? E.g. vulnerability concerns storage backend driver A whereas CSP is exclusively using storage backend driver B.
In such case, the update would not be a MUST for the CSP, in my opinion.
We should maybe put a preceeding step here to instruct the CSP to do an analysis first ASAP whether they are affected and if ...