streamline CVE handling in SCS-0210 with SCS-0124#1099
Conversation
In SCS-0124 we write: --- Critical (CVSS = 9.0 – 10.0): 3 hours High (CVSS = 7.0 – 8.9): 3 days Mid (CVSS = 4.0 – 6.9): 1 month Low (CVSS = 0.1 – 3.9): 3 months --- Our Policies should be the same where possible, so adjust this to match IaaS. Signed-off-by: Felix Kronlage-Dammers <fkr@hazardous.org>
fkr
requested review from
depressiveRobot,
garloff and
mbuechse
as code owners
|
This was noticed by @janeczku and raised in our RKE2 session at the hackathon. |
|
I agree that it may be beneficial to harmonize the two standards, but as far as I can tell, scs-0210 came first, and now I'm wondering why scs-0124 takes precedence. |
Signed-off-by: Felix Kronlage-Dammers <fkr@hazardous.org>
It does not take precedence, but it actually explains the chosen scores much better. Why did we pick 8 for critical in this standard? Technicially only >= 9.0 is critical. High is 7.0 - 8.9 - the IaaS standard explains this and also points to the BSI C5 common criteria. I've updated the change to explain this better. Thanks for highlighting this! |
mbuechse
left a comment
mbuechse
left a comment
There was a problem hiding this comment.
If we now include CVEs with scores 7 through 8, this makes the regulation stricter, but the rule in question is only a recommendation, so we should be good.
| - This time period MUST be even shorter for patches that fix critical or high CVEs. | ||
| A critical CVE is a CVE with a CVSS base score >= 9.0 and a high CVE with a CVSS | ||
| base score >= 7.0 according to the CVSS version used in the original CVE record (e.g., CVSSv3.1). | ||
| It is RECOMMENDED to provide a new patch version in a 3-day time period after their release, this |
There was a problem hiding this comment.
| It is RECOMMENDED to provide a new patch version in a 3-day time period after their release, this | |
| It is RECOMMENDED to provide a new patch version in a 3-day time period after their release; this |
or we explain why we chose 8 - that was the question that initially started this discussion and why i looked up what we do for IaaS. |
depressiveRobot
changed the title
Signed-off-by: Felix Kronlage-Dammers <fkr@hazardous.org>
| - This time period MUST be even shorter for patches that fix critical or high CVEs. | ||
| A critical CVE is a CVE with a CVSS base score >= 9.0 and a high CVE with a CVSS | ||
| base score >= 7.0 according to the CVSS version used in the original CVE record (e.g., CVSSv3.1). | ||
| It is RECOMMENDED to provide a new patch version in a 3-day time period after their release, this |
There was a problem hiding this comment.
| It is RECOMMENDED to provide a new patch version in a 3-day time period after their release, this | |
| It is RECOMMENDED to provide new patch versions for high CVEs in a 3-day time period and for critical CVEs in a 3-hour time period after their release. This |
For critical CVEs, the time period is even shorter according to BSI C5.
| A critical CVE is a CVE with a CVSS base score >= 9.0 and a high CVE with a CVSS | ||
| base score >= 7.0 according to the CVSS version used in the original CVE record (e.g., CVSSv3.1). | ||
| It is RECOMMENDED to provide a new patch version in a 3-day time period after their release, this | ||
| comes from the BSI C5 Common Criteria[^1]. |
There was a problem hiding this comment.
| comes from the BSI C5 Common Criteria[^1]. | |
| is in accordance with the BSI C5:2020[^1]. |
| - It is RECOMMENDED to not support versions after this period in order to not encourage | ||
| usage of out-of-date versions. | ||
|
|
||
| [^1]: [C5 criteria catalog with timeframes for responses on page 70.](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/CloudComputing/ComplianceControlsCatalogue/2020/C5_2020.pdf?__blob=publicationFile&v=3) |
There was a problem hiding this comment.
| [^1]: [C5 criteria catalog with timeframes for responses on page 70.](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/CloudComputing/ComplianceControlsCatalogue/2020/C5_2020.pdf?__blob=publicationFile&v=3) | |
| [^1]: [Cloud Computing Compliance Criteria Catalogue – C5:2020 with time frames for responses on page 70.](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/CloudComputing/ComplianceControlsCatalogue/2020/C5_2020.pdf?__blob=publicationFile&v=3#page=72) |
I complemented the link to point to the specific page in the PDF.
| In this context, a critical CVE is a CVE with a CVSS base score >= 8 according | ||
| to the CVSS version used in the original CVE record (e.g., CVSSv3.1). | ||
| It is RECOMMENDED to provide a new patch version in a 2-day time period after their release. | ||
| - This time period MUST be even shorter for patches that fix critical or high CVEs. |
There was a problem hiding this comment.
@fkr We had a different wording for this in our session today. Unfortunately, it's not in the minutes, but as I remember you wrote that down.
depressiveRobot
changed the title
depressiveRobot
added
kaas-hackathon
KaaS
|
I think this has enough overlap with #1098 that we should link the two? |
|
@depressiveRobot we also said in the session that we should likely introduce a v3 |
Signed-off-by: Felix Kronlage-Dammers <fkr@hazardous.org>
|
I've added a v3 and incorporated the suggestions from @depressiveRobot |
this was a suggestion from @depressiveRobot in #1099, since we link the same document/passage here, adopt this. Signed-off-by: Felix Kronlage-Dammers <fkr@hazardous.org>
This was a suggestion from @depressiveRobot in #1099. Since we link the same document/passage here, adopt this. Signed-off-by: Felix Kronlage-Dammers <fkr@hazardous.org>
3 participants
In SCS-0124 we write:
Our Policies should be the same where possible, so adjust this to match IaaS.