We are requesting for input from the community to develop a set of guidelines for better management of our security monitoring activities. A draft can be found here https://docs.google.com/document/d/1_9atV4AAdGDfoiDLscdBsUMYja1CK2_Xitdzk3QiLFU/edit
Comments can also be included in this discussion thread.
We are still looking to get feedback on the Security vulnerabilities Guidelines posted above.
Comments are welcomed up until Friday May 10 2019
1.5 years in the community seems like a reasonable threshold for a random person wanting to join the security team; however, if an established security expert joined the community and wanted to help, I don’t think I’d make her wait 1.5 years.
Is it common to have a mechanism for early notification of vulnerabilities? In the past, we considered making a
security-announcemailing list to broadcast early warnings to interested parties. I’m not sure if that’s necessary or best practice. Talk could probably suffice, but it would be good to have a more well-defined process for notifications (e.g., a post to which category, using what tags, etc.).
I think I initially recommended this, but I’m not so sure about it anymore. I got the chance to talk to one of the core Debian developers about their vulnerability patching processes and I learned that they have no such early-notification mechanism, even for large enterprises that depend on the OS for mission-critical services. It seems like there’s no good way to solve the selective-notification problem without fundamentally changing the open-source nature of the project.
I am making some more edits to the document according to some of the suggestions and additional reference material found here https://talk.openmrs.org/t/improving-our-security-response-process/3718
Will post the updated document as soon as I am done
i have added to " our incident response approach’’ please have a look. hope it fits to vulnerabilities fixing procedure and documentation also.
I transferred the security guideline to the wiki at this link https://wiki.openmrs.org/display/docs/Managing+a+Security+Vulnerabilities+in+OpenMRS
@shafiq12 Could you please incorporate your updates on this page? I cant seem to find the previous edits that you made.
@isears @dkayiwa @cintiadr could you please comment on the “Time to resolve” coloumn? What your thoughts on giving some time durations to each severity case?
In my experience, the following scheme is pretty standard:
Critical/High: 90 days
Medium: 180 days
Low: 1 year
Anything less than 90 days is asking for trouble, I think. What are everyone else’s thoughts?
hi @c.antwi i have update the document, please find following things: 1. Added role of “Manager”, 2. “Roles and responsiblities of Manager”, 3. added points to “containment, recovery process”. 4. added time to resolve/accomplish the volunerability task. I hope it will more smoothen the process to fix and resolve the volnurability processes and also the documentation. if something else is needed to edit or add i would be pleased.
Hey @shafiq12 Thanks so much for the contributions.