[Unconference] STRIDE threat model for the vSphere CSI Driver

Question

[Unconference] STRIDE threat model for the vSphere CSI Driver

aladewberry opened this issue 9 months ago · comments

Description: Let's kick off the vSphere CSI Driver threat model together!
Benefits to Ecosystem: Why is this talk or discussion important to cloud native security?

Security is paramount to everything we do. The Self Assessments subproject in SIG Security is currently working on a threat model for the vSphere CSI driver. Currently, we have all the sequence diagrams in place, and now need to begin the STRIDE model itself!

In addition to kicking off this specific threat model, we want to build a security culture in the upstream community. As such, part of the intent with this session is to gather together people who are interested in these efforts as we continue threat models for other parts of Kubernetes.

While it would be great to make a start on the exercise itself, just getting people together for follow-on sessions over Zoom is great too. A good goal for us to have is to submit a talk for Kubecon EU in the Spring.

Additional info:

Reference to supporting material

Here are our sequence diagrams:

https://app.excalidraw.com/l/9S6CWzRu7GT/2ZxWPy93XiV

Format/process we will use for building the threat model:

https://owasp.org/www-community/Threat_Modeling_Process

Justin Cappos · Answer 1 · Tue Nov 07 2023 00:24:58 GMT+0800 (China Standard Time)

Is this going to be part of a self assessment for the vSphere CSI Driver?

…

On Mon, Nov 6, 2023 at 8:52 AM Ala Dewberry ***@***.***> wrote: Description: Let's kick off the vSphere CSI Driver threat model together! Benefits to Ecosystem: Why is this talk or discussion important to cloud native security? Security is paramount to everything we do. The Self Assessments subproject in SIG Security is currently working on a threat model for the vSphere CSI driver. Currently, we have all the sequence diagrams in place, and now need to begin the STRIDE model itself! In addition to kicking off this specific threat model, we want to build a security culture in the upstream community. As such, part of the intent with this session is to gather together people who are interested in these efforts as we continue threat models for other parts of Kubernetes. While it would be great to make a start on the exercise itself, just getting people together for follow-on sessions over Zoom is great too. A good goal for us to have is to submit a talk for Kubecon EU in the Spring. Additional info: - Reference to supporting material Here are our sequence diagrams: https://app.excalidraw.com/l/9S6CWzRu7GT/2ZxWPy93XiV Format/process we will use for building the threat model: https://owasp.org/www-community/Threat_Modeling_Process — Reply to this email directly, view it on GitHub <#1133>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGROD3Y5MW5G2UTJFMETIDYDDTTFAVCNFSM6AAAAAA67RQMEWVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3TSMRRGMYTAOI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

Ala Dewberry · Answer 2 · Tue Nov 07 2023 00:26:09 GMT+0800 (China Standard Time)

Correct! Cheers! Ala On Nov 6, 2023, at 10:25 AM, Justin Cappos ***@***.***> wrote: !! External Email Is this going to be part of a self assessment for the vSphere CSI Driver?

On Mon, Nov 6, 2023 at 8:52 AM Ala Dewberry ***@***.***> wrote: Description: Let's kick off the vSphere CSI Driver threat model together! Benefits to Ecosystem: Why is this talk or discussion important to cloud native security? Security is paramount to everything we do. The Self Assessments subproject in SIG Security is currently working on a threat model for the vSphere CSI driver. Currently, we have all the sequence diagrams in place, and now need to begin the STRIDE model itself! In addition to kicking off this specific threat model, we want to build a security culture in the upstream community. As such, part of the intent with this session is to gather together people who are interested in these efforts as we continue threat models for other parts of Kubernetes. While it would be great to make a start on the exercise itself, just getting people together for follow-on sessions over Zoom is great too. A good goal for us to have is to submit a talk for Kubecon EU in the Spring. Additional info: - Reference to supporting material Here are our sequence diagrams: https://app.excalidraw.com/l/9S6CWzRu7GT/2ZxWPy93XiV Format/process we will use for building the threat model: https://owasp.org/www-community/Threat_Modeling_Process — Reply to this email directly, view it on GitHub <#1133>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAGROD3Y5MW5G2UTJFMETIDYDDTTFAVCNFSM6AAAAAA67RQMEWVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE3TSMRRGMYTAOI> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

— Reply to this email directly, view it on GitHub<#1133 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVFQ5HASJO2KAD47LV3DXKDYDEFONAVCNFSM6AAAAAA67RQMEWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJVGM2DKNBVGE>. You are receiving this because you authored the thread.Message ID: ***@***.***> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.

Andrew Martin · Answer 3 · Tue Nov 07 2023 04:32:28 GMT+0800 (China Standard Time)

The diagrams and documentation look great @aladewberry! That will really help getting everybody on the same page.

If you're around KubeCon NA the Security Village would be a great place to chat on Tuesday. The STAG team will be hanging out there, and we can talk about how we can collaborate and assist on this self-assessment, and what the STAG's process is to go from self- to joint-assessment if that's how we'd like to progress this 🙏

Ala Dewberry · Answer 4 · Tue Nov 07 2023 10:56:22 GMT+0800 (China Standard Time)

Sounds fabulous - I'll come by and we'll have a chat!

Pushkar Joglekar · Answer 5 · Tue Nov 07 2023 11:04:09 GMT+0800 (China Standard Time)

@sublimino this is an unconference submission :) so we have an opportunity to use one of the six slots in total on Day 2 and Day 3 in addition to in person informal meetups at Security hub :)

Michael Lieberman · Answer 6 · Wed Nov 08 2023 07:48:14 GMT+0800 (China Standard Time)

Thanks for your submission @aladewberry. The submission has been accepted and scheduled for Thursday 11/09 at 4:00-4:35. Congrats!

Ala Dewberry · Answer 7 · Wed Nov 08 2023 08:14:29 GMT+0800 (China Standard Time)

Hi folks - I’ll need to leave for my flight home by 3pm. Any chance I could trade slots with someone else? Cheers! Ala On Nov 7, 2023, at 5:48 PM, Michael Lieberman ***@***.***> wrote: !! External Email Thanks for your submission @aladewberry<https://github.com/aladewberry>. The submission has been accepted and scheduled for Thursday 11/09 at 4:00-4:35. Congrats! — Reply to this email directly, view it on GitHub<#1133 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVFQ5HE4KAPRSE7LTNHFJZ3YDLCETAVCNFSM6AAAAAA67RQMEWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBQGQZTKNBTGI>. You are receiving this because you were mentioned.Message ID: ***@***.***> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.

Michael Lieberman · Answer 8 · Wed Nov 08 2023 10:47:45 GMT+0800 (China Standard Time)

@aladewberry can you post on tag security slack? It will help to see if someone can switch.

Ala Dewberry · Answer 9 · Wed Nov 08 2023 12:10:54 GMT+0800 (China Standard Time)

Done! Cheers! Ala On Nov 7, 2023, at 8:48 PM, Michael Lieberman ***@***.***> wrote: !! External Email @aladewberry<https://github.com/aladewberry> can you post on tag security slack? It will help to see if someone can switch. — Reply to this email directly, view it on GitHub<#1133 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AVFQ5HH4EWK3HTDG3U5TNPDYDLXFXAVCNFSM6AAAAAA67RQMEWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBQHEZDINJQGQ>. You are receiving this because you were mentioned.Message ID: ***@***.***> !! External Email: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender.

Marina Moore · Answer 10 · Mon Nov 13 2023 23:01:11 GMT+0800 (China Standard Time)

Thanks for the presentation! Closing as completed.