Forum OpenACS Q&A: Security & OACS

Collapse
Posted by Jeroen van Dongen on
At first I wanted to post this a a reply to this thread
https://openacs.org/forums/message-view?message_id=187744, (about certification of oacs, project/open) however I think the issue is important enough for its own thread.

I just play with oacs by night, as by day I'm an IT security consultant. A certified one in case you care :-) (CISSP, if some lame persons had not abused the public directory for spam purposes you could have checked me out on http://www.isc2.org)

Anyway, with respect to oacs security in general, I see it brought forward quite often in the forums lately (see also: https://openacs.org/forums/message-view?message_id=187394)
and given the general state of affairs with where the (cyber and real) world is heading it's not something we can opt for to ignore imo.

With respect to certification of OACS (see https://openacs.org/forums/message-view?message_id=187744) , I can feel for Chris Davies opinions in that the true value of a one-off certification program is limited (BTW - for who missed it, Frank/Pete are not talking about a one-off thing, more on certifying the process, which is a bit of a different thing). Personally (and professionally) I see certification mostly as a marketing tool. I'm not a better professional because I'm certified and noone is going to reimburse my fees if I give bad advise (unless I'm held liable by the justice system of course). It can be a discriminating factor though in bids - because I'm backed by an internationally recognised (itself ISO 17024 certified) organisation that testifies I'm a qualified professional. If my competitor is not, I possibly have an advantage there. But that's it - no more, no less.

So certification is something that imo could benefit the commercial outfits that sell solutions based on OACS - if it's something clients care enough about. But, it's not cheap and does by itself not guarantee anything.

Another, perhaps more viable, alternative would be to establish an explicit security process within the oacs community and communicate this clearly. If you're able to point to a clearly defined security process within the community you already have an advantage over most competitors (with or without certification) *and* it actually brings long term security (and perhaps overall quality) improvements.

Later on, given there's enough interest from (potential) clients, several stakeholders together could perhaps provide funding to get the actual community security process reviewed & certified (perhaps a reason to keep the oacs foundation discussion alive?).

Part of such a process is already in place. Think of things like the OCT, TIPs, the engineering standards etc. Things we might add are explicit security guidelines to the engineering standards, some way of enforcing the set standards e.g. a process for regular audits of part of the code base for violations of the engineering standards, a visible security team, regular audits for the infrastructure that supports oacs (cvs server, website etc. compromised cvs servers make bad publicity), clear procedures a how one get cvs commit access (can't find them, but I guess they are already there), 4-eyes principle for changes to critical code etc.

Please keep the discussion at a higher level - Jades post was excellent IMO, but the discussion quickly went into the technical nitty-gritty of signed forms, which is nice by itself, but not very helpfull if we want (do we?) to establish a security policy for OACS.

Rgds,
Jeroen van Dongen

Collapse
2: Re: Security & OACS (response to 1)
Posted by Jade Rubick on
Thanks, Jeroen. I'd still like to see the OCT address these issues, and I'd be happy to help out in any way. For example, I'd be happy to be the moderator on a security Forum.