Re: Security WG meeting


Malini Bhandaru
 

Inline comments Jim

 

From: <EdgeX-TSC-Security@...> on behalf of "White2, James via Lists.Edgexfoundry.Org" <James.White2=dell.com@...>
Reply-To: "White, James (EMC)" <James_White2@...>
Date: Monday, April 15, 2019 at 6:58 PM
To: "ian.johnson@..." <ian.johnson@...>
Cc: "EdgeX-TSC-Security@..." <EdgeX-TSC-Security@...>
Subject: Re: [Edgex-tsc-security] Security WG meeting

 

Thanks Ian – sorry for the mix up.  Here are the links:

 

Addressing security issues (CVE):

https://wiki.edgexfoundry.org/display/FA/Security+Working+Group?preview=/329467/27492766/EdgeX%20Process%20for%20Addressing%20Security%20Issues-v5.pdf

I would make each a section:

  1. Setup SIR Team, with sub-sections: Team composition, Ratification, Tenure, Handling Vacancies, Role: Handling the security issues
  2. Security-Issues Email address set up. For privately and responsibly reporting security issues to the SIR Team
  3. Security Issues Landing page set up.
  4. Response Procedure
    1. EdgeX Code
    2. 3 rd Party Dependencies

    The contents of sections 2-4 look done to me.

 

Some minor edits:

  1. s/chairman/chairperson
  2. s/effected/affected

 

Protecting EdgeX Secrets for Edinburgh:

https://wiki.edgexfoundry.org/display/FA/Security+Working+Group?preview=/329467/27492703/Protecting%20EdgeX%20Secrets-v7.pdf

 

From: Ian Johnson <ian.johnson@...>
Sent: Monday, April 15, 2019 8:55 PM
To: White2, James
Cc: EdgeX-TSC-Security@...
Subject: Re: [Edgex-tsc-security] Security WG meeting

 

[EXTERNAL EMAIL]

 

 

On Mon, Apr 15, 2019 at 8:21 PM White2, James <James.White2@...> wrote:

All,

A reminder that the security working group will hold its call right after the TSC meeting on Wednesday (10am CDT).  We have a full agenda to include:

  • Review/finalization of the Securing service secrets doc – version 7

This doc link seems to be for the Security issue process?

 

  •  
  • Review/finalization of the Security issue process – version 5
  • Discussion on which credential generation mechanism to use for Vault DB secrets (pick up from Tingyu’s discussion last week)
  • Bulk of the time to Fuji scoping and roadmapping – based on Bryon’s Github pull request document.

 

Find connection information and full agenda here:  https://wiki.edgexfoundry.org/display/FA/Security+Working+Group

 

Look forward to talking to you all.

 

Jim White

Director, IoT Platform Development Team & Distinguished Engineer

EdgeX Foundry Technical Steering Committee Vice Chairman

Dell Technologies | IoT Solutions Division

Office +1 512-723-6139, mobile/text +1 612-916-6693

james_white2@...

 

Join EdgeX-TSC-Security@lists.edgexfoundry.org to automatically receive all group messages.