Jul 9, 2020 by Armory
This blog post was originally posted on: https://cd.foundation/blog/2020/07/07/an-inside-look-at-the-innovation-happening-in-oss-spinnakers-cve-process/
CDF Newsletter – July 2020 Article
Subscribe to the Newsletter
“I once went to a security talk, and it was such a mind shift for me when they explained that the only way to guarantee a system is 100% secure, is to unplug everything. You take all the wires, you take all the, you know, your bare metal, you take all of it, you dig a ditch, you throw everything in there, and you cover it with concrete,” Beth Fuller, Sr. Product Manager at Armory
As our community continues to grow and evolve, so too do the needs of enterprises using Spinnaker to fuel business via software. With security and compliance top of mind, Armory.io Senior Product Manager Beth Fuller is one of many people helping to trailblaze the new CVE process for OSS Spinnaker. The Spinnaker Security Special Interest Group (SIG) has taken on this project, motivated to maintain a safe product that can easily adapt to security and compliance requirements across industries.
Spinnaker excels at abstracting complex software lifecycles. In these, DevSecOps requires the daunting, yet essential, exercise of managing multiplying, distributed exploit vulnerabilities across a complex SDLC. To make this easier, the Spinnaker Security SIG is developing a protocol to create a CVSS score for each CVE found in the Spinnaker project. This will help security professionals and businesses alike understand the severity of the Common Vulnerabilities (CVEs), and define best practices to mitigate a particular CVE. “Having this threat model available for OSS Spinnaker is a critical factor in ensuring that the CVSS is defensible,” said Fuller.
First, we’ll define the Vulnerability Management policy. Read on for a brief walkthrough of how the Spinnaker Security SIG plans to implement CVSS scores, what they are, and how this information will be used to improve and define OSS Spinnaker security best practices moving forward.
Let’s start with the basics. The Common Vulnerabilities and Exposures (CVE) list is a resource that catalogues publicly disclosed cybersecurity vulnerabilities and exploits. It provides a standardized identifier for each known vulnerability or exposure, defined with an ID number, a description, and at least one public reference. This common identifier allows security practitioners to quickly and accurately correlate data about a problem across multiple CVE-compatible information sources. With CVE, vulnerability scanners, intrusion detection systems, and commercial software can use that same identifier to link fixes, exploit attempts, and other relevant information to particular vulnerabilities.
The Common Vulnerability Scoring System (CVSS) is an open framework that communicates the severity and characteristics of software vulnerabilities. CVSS scores range from 0.0-10.0. This numerical scoring framework helps organizations assess and prioritize their vulnerability management processes. Spinnaker’s Security SIG has begun that process by assigning qualitative severity ratings to score ranges:
The process designed by the Security SIG has several steps for scoring CVEs in the Spinnaker project.
By setting these standards, the Spinnaker Security SIG aims to fulfill the needs and requirements of enterprises using Spinnaker in production environments. The reporting, scoring, and tracking process is key to the success of the Security SIG’s Spinnaker Vulnerability Management pipeline. Fuller stresses that no matter what market your organization is in, seeing all of your CVEs listed can be intimidating, even scary. For example, if a codebase has an XML piece somewhere in its infrastructure with a CVE rating of 8 or 9, that poses a significant risk. If no-one can to exploit that piece of code based on where it’s located, to the point that its difficulty is nearly impossible, after that CVE goes through the CVSS scoring process, its severity may then be brought down to a 1.9. This would mean that it was no longer a significant and worrisome threat.
While organizations may have their own policies around CVSS scores, the Security SIG hopes that raising visibility into CVEs and determining scores based on threat models built by experts in the community will encourage public trust in Spinnaker CVSS scoring. It will allow for organizations to document their CVEs, determine their actions based on CVSS Scoring, and make better decisions as to how to document patches, and address security exploits. This will also be documented in the upcoming Spinnaker 1.1.21 release, Fuller noted. “You’re creating that level of visibility, so as security-minded people come in, they don’t have to guess if it’s a scary thing. We’re giving them the information so they don’t have to guess. They can just have a better understanding of why it is that we’re not fixing this thing that looks scary on the face of it. So, I think for the community, that’s going to be a big win.”
Alongside other subject matter experts such as eCISCO CEO Jeff Kohrman, and companies such as Salesforce and OpsMX, Fuller hopes that anyone interested in documentation, security, DevSecOps, and improving the security of OSS Spinnaker will get involved in the Security SIG. “You don’t have to be a security person to join, we are anyone interested in security. If you want to come from a documentation perspective and help us—Oh my gosh—We need that,” Fuller said, adding that sometimes it’s even better if participants don’t have a security background because everyone starts to then consider what it means to truly create a secure environment.
No two software delivery life cycles are alike, so exchanging ideas, fresh perspectives, and best practices raises the security bar for everyone. Fuller points out the value of sharing expertise that may not have been considered if everyone involved in a discussion had the same background and experience.
The Spinnaker Security SIG welcomes all who wish to contribute to join the Spinnaker Slack SIG-Security Channel, and to attend community meetings which take place every other Thursday at 11:00 AM PST/2:00 PM EST. The next meeting takes place on July 16, which happens to be the first day of Spinnaker Gardening Days week, an open source virtual hackathon. The Security SIG will form a team to tackle threat model development for common deployment endpoints. Register now to join SIG members in solving real-world issues facing the OSS Spinnaker and DevSecOps communities today.
Introducing Quick Spin One of the most common challenges that organizations face when implementing a continuous deployment strategy is the time and focus that it takes to set up the tools and processes. But a secure, flexible, resilient and scalable solution is available right now. Want to see if it’s the right tool for your […]
Read more →
Spinnaker is the most powerful continuous delivery tool on the market. DevOps engineers and developers recognize this power and are looking to use Spinnaker as a foundational tool in their Continuous Integration and Continuous Delivery (CI/CD) process for hybrid and multi-cloud deployments. Such a powerful, expansive open source tool needs expertise within your organization to […]
Read more →
Today, Armory is excited to announce the availability of the GitHub Action for Armory Continuous Deployment-as-a-Service. GitHub is where developers shape the future of software. After a developer writes and tests their code in GitHub, it must be deployed. Armory’s GitHub Action for Continuous Deployment-as-a-Service extends the best-in-class deployment capabilities to Kubernetes. CD-as-a-Service enables declarative […]
Read more →