You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Standards/scs-0124-w1-security-of-iaas-service-software.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,29 +9,29 @@ supplements:
9
9
10
10
## Testing or Detecting security updates in software
11
11
12
-
It is not always possible to automatically test, whether the software has the newest security updates.
13
-
This is because software versions may differ or some CSPs might have added downstream code parts or using other software than the reference.
14
-
Also vulnerabilites and their fixes are quite different in testing, some might not be testable while others are.
15
-
Additionally testing might be perceived as an attack on the infrastructure.
12
+
It is not always possible to automatically test whether the software has the newest security updates.
13
+
This is because software versions may differ, or some CSPs might have added downstream code parts or be using other software than the reference.
14
+
Also vulnerabilities and their fixes are quite different in testing; some might not be testable while others are.
15
+
Additionally, testing might be perceived as an attack on the infrastructure.
16
16
So this standard will rely on the work and information CSPs must provide.
17
-
There are different cases and procedures which are addressed in the following parts, that lead to compliance for this standard.
17
+
There are different cases and procedures, which are addressed in the following parts, that lead to compliance for this standard.
18
18
19
-
### Procedure to become compliant to the security of IaaS service software Standard
19
+
### Procedure to become compliant with the security of IaaS service software standard
20
20
21
21
This is the procedure when a new deployment wants to achieve SCS-conformancy.
22
22
There are two states such a deployment can be in:
23
23
24
-
1. When a deployment is newly build or installed it usually uses software which includes all the latest security and bug fixes.
25
-
Such deployments should be considered compliant to the standard.
24
+
1. When a deployment is newly built or installed, it usually uses software that includes all the latest security and bug fixes.
25
+
Such deployments should be considered compliant with the standard.
26
26
27
-
2. When a CSP wants to make an older deployment compliant to the SCS standards and thus also to this standard, it should be checked, whether the running software is up to date and all vulnerabilites are fixed.
27
+
2. When a CSP aims to make an older deployment compliant with the SCS standards, it should be checked whether the running software is up-to-date and no known vulnerabilities are present.
28
28
Any updates or upgrades to even newer versions should be done before the SCS compliance for every other standard is checked.
29
29
Afterwards the CSP may provide information about the used software in an SBOM or otherwise should provide a notice about the deployment having integrated all necessary vulnerability patches.
30
30
31
-
### Procedure when new vulnerabilites are discovered
31
+
### Procedure when new vulnerabilities are discovered
32
32
33
33
Whenever there are new vulnerabilities discovered in IaaS service software like OpenStack there is either an internal discussion ongoing or it is just a smaller issue.
34
-
In the first case CSPs should have someone following such discussions and may even help preparing and testing patches.
34
+
In the first case, CSPs should have someone following such discussions and may even help prepare and test patches.
35
35
From the moment on the vulnerability is disclosed publicly, the risk of it being actively exploited increases greatly.
36
36
So CSPs MUST watch out for announcements like in the OSSAs and OSSNs and when they are affected, update their deployment within the following timeframes according to the severity of the issue:
37
37
@@ -40,6 +40,6 @@ So CSPs MUST watch out for announcements like in the OSSAs and OSSNs and when th
40
40
3. Mid (CVSS = 4.0 – 6.9): 1 month
41
41
4. Low (CVSS = 0.1 – 3.9): 3 months
42
42
43
-
Afterwards CSPs MUST provide a notice to the OSBA, that they are not or not anymore affected by the vulnerabilty.
43
+
Afterwards CSPs MUST provide a notice to the OSBA, that they are not or not any more affected by the vulnerability.
44
44
This can be done through either telling, what patches were integrated or showing configuration that renders the attack impossible.
45
45
It could also be provided a list of services, when the affected service is not used in that deployment.
0 commit comments