misp-training/mii.0-security/content.tex

133 lines
7.1 KiB
TeX
Executable File

% DO NOT COMPILE THIS FILE DIRECTLY!
% This is included by the other .tex files.
\begin{frame}[t,plain]
\titlepage
\end{frame}
\begin{frame}[fragile]
\frametitle{Reporting security vulnerabilities in MISP/Cerebrate}
\begin{itemize}
\item {\bf If you find security vulnerabilities (even minor ones) in MISP project, send an encrypted email} (info@circl.lu) with the details and especially how to reproduce the issues. Avoid to share publicly the vulnerability before a fix is available in MISP. PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5.
\item We usually fix reported and confirmed security vulnerabilities in less than 48 hours.
\item {\bf We will request a CVE number} if the reporters didn't ask for one (don't forget to mention how you want to be credited).
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{CVE allocation at CIRCL}
\begin{itemize}
\item We request for NVD CVE via MITRE. The CVE request is sent only if the following has been done:
\begin{itemize}
\item If the bug is fixed (committed publicly)
\item The report acknowledgement is present and clear (even it's anonymous)
\item If the original reporter has been notified (and didn't ask for a CVE directly or via CNA)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{CVE assigned and its publication}
\begin{itemize}
\item When the CVE is published (available in the NVD database):
\begin{itemize}
\item Publish the vulnerability in the website of the project (example \footnote{\url{https://www.misp-project.org/security/}})
\item Make a software release (at least a tagged version) to track down which exact version is vulnerable
\item Send a reminder to existing users via different channels about the security vulnerability
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{CVE allocation for MeliCERTes II}
\begin{itemize}
\item We propose to use the same model (except if there is an objection or existing modules have their own vulnerability disclosure process)
\item If an organisation or author of a module used in MeliCERTes II cannot assign a CVE, we propose to take the lead for the CVE allocation (3 rules as described before)
\item To add in MeliCERTes/docs\footnote{\url{https://github.com/melicertes/docs}} repository a reference to each vulnerability disclosure process
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Some random practices from MISP}
\begin{itemize}
\item A series of random open source practices and workflow used by MISP
\item Maybe some could be reused or improved for MeliCERTes II
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Code of Conduct}
\begin{itemize}
\item The MISP project has a Contributor Covenant Code of Conduct\footnote{\url{https://github.com/MISP/MISP/code_of_conduct.md}}.
\item The goal of the code of conduct is to foster an {\bf open, fun and welcoming environment}.
\item Another important aspect of the MISP projects is to welcome different areas of expertise in information sharing and analysis. The {\bf diversity of the MISP community} is important to make the project useful for everyone.
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Reporting a bug, an issue or suggesting features}
\begin{itemize}
\item The most common way to contribute to the MISP project is to report a bug, issues or suggesting features.
\item Each project (MISP core, misp-modules, misp-book, misp-taxonomies, misp-galaxy, misp-object or PyMISP) has their {\bf own issue management}.
\item Don't forget that you can {\bf cross-reference issues} from other sub-projects.
\item If you know an answer or could help on a specific issue, we welcome all contributions including {\bf useful comments to reach a resolution}.
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Automatic integration and testing}
\begin{itemize}
\item The majority of the repositories within the MISP GitHub organisation includes automatic integration with TravisCI or GitHub Actions.
\item If you contribute and make a pull-request, {\bf verify if your changes affect the result of the tests}.
\item Automatic integration is not perfect including Travis but it's a quick win to catch new bugs or major issues in contribution.
\item When you do a pull-request, TravisCI is automatically called\footnote{\url{https://travis-ci.org/MISP}}.
\begin{itemize}
\item If this fails, no worries, {\bf review the output at Travis} (it's not always you).
\end{itemize}
\item We are working on additional automatic tests including unit testing for the MISP core software (contributors are welcome).
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{JSON validation for MISP libraries}
\begin{itemize}
\item All JSON format ({\bf galaxy, taxonomies, objects or warning-lists}) are described in a JSON Schema\footnote{schema\_name.json}.
\item The TravisCI tests are including JSON validation (via \emph{jq}) and validated with the associated JSON schema.
\item How to contribute a JSON library (objects, taxonomies, galaxy or warning-list):
\begin{itemize}
\item If you update a JSON library, don't forget to run \emph{jq\_all\_the\_things.sh}. It's fast and easy. If it fails, review your JSON.
\item Commit your code and make a pull-request.
\end{itemize}
\item Documentations (in PDF and HTML format) for the librairies are automatically generated from the JSON via asciidoctor\footnote{example \url{https://github.com/MISP/misp-galaxy/blob/master/tools/adoc_galaxy.py}}.
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Documentation}
\begin{itemize}
\item In addition to the automatic generation of documentations from JSON files, we maintain {\bf misp-book}\footnote{\url{https://github.com/MISP/misp-book}} which is a generic documentation for MISP including usage, API documentation, best practices and specific configuration settings.
\item The book is generated in HTML, PDF, epub and mobi using GitBook\footnote{\url{https://github.com/GitbookIO}} which is a framework to write documentation in MarkDown format.
\item TravisCI is included in misp-book and {\bf the book generation is tested at each commit}.
\item The MISP book is regularly published on misp-project.org and circl.lu website.
\item Contributors are welcome especially for new topics\footnote{Topics of interest are analysts best-practices, } and also fixing our broken english.
\end{itemize}
\end{frame}
\begin{frame}[fragile]
\frametitle{Internet-Draft - IETF for MISP formats}
\begin{itemize}
\item If you want to contribute to our IETF Internet-Draft for the MISP standard, misp-rfc\footnote{\url{https://github.com/MISP/misp-rfc}} is the repository where to contribute.
\item {\bf Update only the markdown file}, the XML and ASCII for the IETF I-D are automatically generated.
\item If a major release or updates happen in the format, we will publish the I-D to the IETF\footnote{\url{https://datatracker.ietf.org/doc/search/?name=misp&activedrafts=on&rfcs=on}}.
\item The process is always MISP implementation $\rightarrow$ IETF I-D updates.
\end{itemize}
\end{frame}