Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Review] Cilium #1029

Closed
6 of 15 tasks
xmulligan opened this issue Jan 20, 2023 · 19 comments
Closed
6 of 15 tasks

[Security Review] Cilium #1029

xmulligan opened this issue Jan 20, 2023 · 19 comments
Assignees
Labels
assessment project security assessments (one issue per project)

Comments

@xmulligan
Copy link

xmulligan commented Jan 20, 2023

Project Name: Cilium

Github URL: https://github.com/cilium

CNCF project stage and issue: cncf/toc#952 (Graduation)

Security Provider: Yes

  • Identify team
    • Project security lead
    • Lead security reviewer: Andrés Vega (@anvega)
    • 1 or more additional reviewer(s): Frederick F. Kautz IV (@fkautz), Justin Cappos (@JustinCappos ) Jon Zeolla ( @JonZeolla )
    • Every reviewer has read security reviewer guidelines and stated declaration of conflict
    • Sign off by 2 chairs on reviewer conflicts
  • Create slack channel: #sec-assess-cilium
  • Project lead provides draft document - see outline
  • "Naive question phase" Lead Security Reviewer asks clarifying questions
  • Assign issue to security reviewers
  • Initial review
  • Presentation & discussion
  • Share draft findings with project
  • Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
  • CNCF TOC presentation (if requested by TOC)
@TheFoxAtWork
Copy link
Contributor

@xmulligan - I've asked @lumjjb @achetal01 @sublimino to convert this issue into a Security Pal to review the items we discussed during DD for graduation and to perform a lightweight threat model. Neither of these items are blockers for Graduation.

@TheFoxAtWork TheFoxAtWork removed the triage-required Requires triage label Feb 7, 2023
@anvega
Copy link
Contributor

anvega commented Feb 9, 2023

@xmulligan @TheFoxAtWork Can you please share the link to the due diligence document? I could not find one on pull/952.

The graduation process does outline the completion of an independent and third party security audit with results published as well as critical vulnerabilities need to be addressed (see graduation_criteria.md) before graduation. Note the project also did not undergo an TAG Security assessment when it was received at incubation at CNCF as it would had it progressed from sandbox. Ideal timing ahead of rubberstamping it as graduation-ready.

Cilium is a project with a core function of serving secure and security capabilities. Among the stated primary use cases there is secure connectivity, encryption, access control, and audit. Given the positioning, TAG-Security would be remiss to not conduct treat the project the scrutiny of a proper and thorough assessment. Not doing so wouldn't just be an oversight in review on our part and that of the TOC, but lack of diligence and a bad precedent.

My recommendation to the TOC is for a full assessment according to the existing process stipulated in addition to the suggest lightweight threat model and the assignment of a security pal.

@anvega anvega self-assigned this Feb 9, 2023
@anvega anvega added the assessment project security assessments (one issue per project) label Feb 9, 2023
@anvega anvega added this to the STAG Rep: @anvega milestone Feb 9, 2023
@anvega
Copy link
Contributor

anvega commented Feb 9, 2023

Reading back over the commit I do see the following:

A CNCF sponsored security audit has been started with OSTIF and Cilium has previously undergone an audit by Cure53 sponsored by Isovalent. A CNCF-sponsored fuzzing audit from ADA Logics is currently underway with a goal to be completed before the end of November. Finally, Cilium currently has an LFX mentee working on increasing the security of the release process including signed SBOMs and signed release artifacts.

I wasn't able to discover links to the audit reports on the project repository or website at first glance or find using search. Links to these resources will be useful to help evaluate.

@fkautz
Copy link
Contributor

fkautz commented Feb 9, 2023

If a self-assessment is necessary and still pending, I'd be happy to help facilitate this process.

@xmulligan
Copy link
Author

@anvega I just sent you the DD doc on the CNCF slack. We haven't added the doc to the issue yet because we are still finalizing it and haven't opened the public comment period.

The third party security audit by OSTIF will be published on Monday, we were just working on remediation before publication.

@fkautz
Copy link
Contributor

fkautz commented Feb 11, 2023

I have read the security reviewer guide and have no conflicts.

@JustinCappos
Copy link
Collaborator

I have read the security reviewer guide and have no conflicts

@anvega
Copy link
Contributor

anvega commented Mar 8, 2023

After long deliberation amongst the TAG, we have arrived that the product from assessments is an educational resource that aids adopters and end users to understand in detail the security properties of the project. Project teams find value in producing an asset that preempts the questions you are to encounter from an organization’s security and compliance teams. The benefits are ease of adoption and user enablement. Another way to look at this is the TAG helping you present and defend the case of how secure Cilium is. As part of it, direction and considerations to apply in mitigating different threat scenarios and failure modes will be incorporated into the guidance. As such, we find it pressing to serve the project and its community with the treatment of a complete assessment. Given the maturity, robustness, and rigor for which Cilium has come to be known, it should be a relatively straightforward process.

We have enough reviewers in Fred, Justin, and me to get rolling. We will recruit a few more folks who will join along the way. To get started, @xmulligan, we must identify the folks most familiar with the project's inner workings and security design. Perhaps that’s André or Daniel, but we’ll defer to you to tell us who that is. From prior experience, it does help to include a couple more folks to field review questions, help write the answers, and editorialize the document as the assessment progresses. Once the crew on the Cilium side is identified, we will need you to create the draft document following the outline. I suggest not spending more than a week putting the draft together. The reviewers can help with part of the initial draft, but without your input, we will build it off relying solely on the project's documentation.

For expectation setting, once a self-assessment project draft is ready, the review and project team will enter a phase of naive questions to develop shared context. In the past, this has been async throughout a couple of weeks but could be done over a series of meetings over two to three days to eliminate the back-and-forth toil. From there, we'll get into the actual review; it might take us a couple of days to digest the document. From that consecutive analysis, you can expect more challenging follow on questions requiring in-depth explanation, which will be captured to expand the draft. As part of that next stage, we'll perform a lightweight thread model, an accompanying threat matrix, and an attack tree.

@anvega
Copy link
Contributor

anvega commented Mar 8, 2023

I have read the security reviewer guide and have no conflicts.

@achetal01 @lumjjb @sublimino Can you please look into the three reviewers' no-conflict statements and sign off on those?

@lumjjb
Copy link
Contributor

lumjjb commented Mar 8, 2023

Chair sign off on conflict statements

@achetal01
Copy link
Contributor

Agree with Brandon, Consider this Sign off on conflict statements

@xmulligan
Copy link
Author

@ferozsalam has started working on our threat model here. It would be great to have some feedback on this too cilium/cilium#24497

@stale
Copy link

stale bot commented May 21, 2023

This issue has been automatically marked as inactive because it has not had recent activity.

@stale stale bot added the inactive No activity on issue/PR label May 21, 2023
@anvega
Copy link
Contributor

anvega commented Jun 15, 2023

@xmulligan Picking where we left off, it would be great if the threat model you reference could be included as part of the self-assessment doc. It's not that it's our preference, it's simply part of the established process for the sort of review that you've requested in this issue.

@stale stale bot removed the inactive No activity on issue/PR label Jun 15, 2023
@JustinCappos
Copy link
Collaborator

As per @TheFoxAtWork 's reply above, a security assessment will not be performed. So this issue will be closed.

@xmulligan - I've asked @lumjjb @achetal01 @sublimino to convert this issue into a Security Pal to review the items we discussed during DD for graduation and to perform a lightweight threat model. Neither of these items are blockers for Graduation.

@anvega
Copy link
Contributor

anvega commented Jul 31, 2023

There needed to be better communication on this issue which I failed to capture before the chair sign-offs. I apologize for the inconvenience the confusion might have caused.

On the TOC call on March 8th, a month after the @TheFoxAtWork comment, Emily herself deferred the decision to the TAG representatives on whether to carry on with the assessments. Then, those on that call agreed that performing a full assessment would be essential due to the project's heavy positioning in its security aspects.

Justin and I have had recurring conversations about it as assessment coordinators over the last couple of weeks. We both agreed on reopening the issue.

From a scheduling perspective, the project will be placed back in the backlog of assessments. Pending the self-assessment, which the project team still needs to provide, the review will occur once reviewer availability is freed from the number of other project assessments currently in progress.

@anvega anvega reopened this Jul 31, 2023
@lizrice
Copy link
Contributor

lizrice commented Aug 25, 2023

@ferozsalam would be a good person from Cilium to answer questions during this process

@JonZeolla
Copy link
Contributor

@anvega is this still open for additional reviewers? I would like to contribute

I have read the security reviewer guide and have no conflicts.

@anvega
Copy link
Contributor

anvega commented Jun 11, 2024

Closing this issue due to inactivity and the threat model the project did on its own. Please feel free to reopen if there is renewed interest in a joint assessment.

@anvega anvega closed this as not planned Won't fix, can't repro, duplicate, stale Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
assessment project security assessments (one issue per project)
Projects
None yet
Development

No branches or pull requests

9 participants