Topics

Introducing David Jorm, security response process expert


Edward Warnicke
 

In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed


David Jorm <david.jorm@...>
 

Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed


Edward Warnicke
 

David,

Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?

Ed

On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed



David Jorm <david.jorm@...>
 

I can attend, but it would be good if we could make this the first agenda item.

Thanks
David

On Thu, May 19, 2016 at 5:19 AM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?

Ed

On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed




David Jorm <david.jorm@...>
 

Sorry for the late notice, but I've had some meetings scheduled early tomorrow morning my time, so won't be able to make it today. It would be great if the TSC could take a look through the process I've drafted, and we can discuss it in more detail during the next meeting.

Thank
David

On Thu, May 19, 2016 at 9:19 AM, David Jorm <david.jorm@...> wrote:
I can attend, but it would be good if we could make this the first agenda item.

Thanks
David

On Thu, May 19, 2016 at 5:19 AM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?

Ed

On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed





Edward Warnicke
 

David,

Thank you for letting us know.  We will go over the process draft.  I've also attempted to capture your recommendations for next steps in the TSC agenda, so we can attempt to move that ball forward as well :)

Ed

On Thu, May 19, 2016 at 7:19 AM, David Jorm <david.jorm@...> wrote:
Sorry for the late notice, but I've had some meetings scheduled early tomorrow morning my time, so won't be able to make it today. It would be great if the TSC could take a look through the process I've drafted, and we can discuss it in more detail during the next meeting.

Thank
David

On Thu, May 19, 2016 at 9:19 AM, David Jorm <david.jorm@...> wrote:
I can attend, but it would be good if we could make this the first agenda item.

Thanks
David

On Thu, May 19, 2016 at 5:19 AM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?

Ed

On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed






David Jorm <david.jorm@...>
 

Hi All

I saw the call for volunteers went out - did you get much response? And has the TSC had an opportunity to review the draft? Is there anything I can do to help with implementation of the process?

Thanks
David

On Thu, May 19, 2016 at 10:20 PM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for letting us know.  We will go over the process draft.  I've also attempted to capture your recommendations for next steps in the TSC agenda, so we can attempt to move that ball forward as well :)

Ed

On Thu, May 19, 2016 at 7:19 AM, David Jorm <david.jorm@...> wrote:
Sorry for the late notice, but I've had some meetings scheduled early tomorrow morning my time, so won't be able to make it today. It would be great if the TSC could take a look through the process I've drafted, and we can discuss it in more detail during the next meeting.

Thank
David

On Thu, May 19, 2016 at 9:19 AM, David Jorm <david.jorm@...> wrote:
I can attend, but it would be good if we could make this the first agenda item.

Thanks
David

On Thu, May 19, 2016 at 5:19 AM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?

Ed

On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed







Edward Warnicke
 

We did get some response.  The TSC considered things last week, and our conclusion was:

1)  We will constitute the security response team at our meeting next week.
2)  We will ask the security response team to finalize the security response process and recommend it to the TSC for approval.

One open question was: Would you like to be on the fd.io security response team?

Ed

On Mon, Jun 6, 2016 at 1:42 AM, David Jorm <david.jorm@...> wrote:
Hi All

I saw the call for volunteers went out - did you get much response? And has the TSC had an opportunity to review the draft? Is there anything I can do to help with implementation of the process?

Thanks
David

On Thu, May 19, 2016 at 10:20 PM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for letting us know.  We will go over the process draft.  I've also attempted to capture your recommendations for next steps in the TSC agenda, so we can attempt to move that ball forward as well :)

Ed

On Thu, May 19, 2016 at 7:19 AM, David Jorm <david.jorm@...> wrote:
Sorry for the late notice, but I've had some meetings scheduled early tomorrow morning my time, so won't be able to make it today. It would be great if the TSC could take a look through the process I've drafted, and we can discuss it in more detail during the next meeting.

Thank
David

On Thu, May 19, 2016 at 9:19 AM, David Jorm <david.jorm@...> wrote:
I can attend, but it would be good if we could make this the first agenda item.

Thanks
David

On Thu, May 19, 2016 at 5:19 AM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?

Ed

On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed








David Jorm <david.jorm@...>
 

That sounds like a good plan to me. I would indeed like to be on the security response team, thanks for the invitation.

David

On Tue, Jun 7, 2016 at 1:13 AM, Edward Warnicke <hagbard@...> wrote:
We did get some response.  The TSC considered things last week, and our conclusion was:

1)  We will constitute the security response team at our meeting next week.
2)  We will ask the security response team to finalize the security response process and recommend it to the TSC for approval.

One open question was: Would you like to be on the fd.io security response team?

Ed

On Mon, Jun 6, 2016 at 1:42 AM, David Jorm <david.jorm@...> wrote:
Hi All

I saw the call for volunteers went out - did you get much response? And has the TSC had an opportunity to review the draft? Is there anything I can do to help with implementation of the process?

Thanks
David

On Thu, May 19, 2016 at 10:20 PM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for letting us know.  We will go over the process draft.  I've also attempted to capture your recommendations for next steps in the TSC agenda, so we can attempt to move that ball forward as well :)

Ed

On Thu, May 19, 2016 at 7:19 AM, David Jorm <david.jorm@...> wrote:
Sorry for the late notice, but I've had some meetings scheduled early tomorrow morning my time, so won't be able to make it today. It would be great if the TSC could take a look through the process I've drafted, and we can discuss it in more detail during the next meeting.

Thank
David

On Thu, May 19, 2016 at 9:19 AM, David Jorm <david.jorm@...> wrote:
I can attend, but it would be good if we could make this the first agenda item.

Thanks
David

On Thu, May 19, 2016 at 5:19 AM, Edward Warnicke <hagbard@...> wrote:
David,

Thank you for the work, I will add it to the TSC agenda for tomorrow.  Will you be able to attend to discuss it (8am PST)?  If so, do you have any constraints on your time that would influence when in the agenda we cover it (needing to leave before the end of the meeting for example)?

Ed

On Wed, May 18, 2016 at 1:20 AM, David Jorm <david.jorm@...> wrote:
Hi All

I have now drafted an initial process for review, as discussed:

https://wiki.fd.io/view/TSC:Vulnerability_Management

This process is based on the one I developed for OpenDaylight, but has been simplified to suit fd.io. I think the next steps are to send out a call for participation on the security team, form that team to review and approve the process, then turn our attention to implementation. Here is some text for the call for participation, which I think should come from a more established member of the community rather than from me:

-begin-
As fd.io grows and matures, we realize it is important to establish a vulnerability management process and a security team to define and execute it. We're looking for a small group of security-minded people who can form this team. Responsibilities will include:

* Reading and triaging incoming reports of security issues
* Producing patches for security issues as a top priority
* Maintaining confidentiality of security issues until they are patched and publicly disclosed
* Writing advisories to communicate information about security issues and patches to the community

We have David Jorm, an experienced security engineer, onboard to lead the team and define the process, so don't worry if you aren't a security expert. Anyone who is an active fd.io developer or other contributor would be welcome to join the team. If you are interested, please let the TSC know.
-end-

Thanks
David

On Mon, Apr 25, 2016 at 9:29 PM, Edward Warnicke <hagbard@...> wrote:
In keeping with my action item from the last TSC meeting, please meet David Jorm,
the security response process expert who helped OpenDaylight in formulating their
process.  He will be joining us at our next TSC meeting to assist us in formulating the 
fd.io Security Response Process.

Many thanks to David, for stepping up again to help :)

Ed