SRTool User Page: Difference between revisions

From Yocto Project
Jump to navigationJump to search
(User documentation for the SRTool)
 
 
(7 intermediate revisions by the same user not shown)
Line 2: Line 2:


This page summarizes the Security Response Tool (SRTool) user documentation.
This page summarizes the Security Response Tool (SRTool) user documentation.
__FORCETOC__
__FORCETOC__
<br/>
<br/>
== Goals ==
== Goals ==


* A common system to track and share security issues, combining community CVE's </li>
* A common system to track and share security issues, combining community CVEs
* A simple yet flexible interface for reporting and exploring the security issues </li>
* A simple yet flexible interface for reporting and exploring the security issues
* A place to upload and share attachments, including patches, fixes, emails, and documents </li>
* A place to upload and share attachments, including patches, fixes, emails, and documents
* The ability to generate accurate and up-to-date reports and exports</li>
* The ability to generate accurate and up-to-date reports and exports
** Status on a given CVE and its defects, for a specific product or for all affect products</li>
** Status on a given CVE and its defects, for a specific product or for all affect products
** Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when</li>
** Compliance reports on sensitive CVEs, for example the chain of events and who-knew-what-when
** Status of each product, for the related CVE defects Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when</li>
** Status of each product, for the related CVE defects Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when
** Ability to easily export that data to spreadsheets and to the public CVE database </li>
** Ability to easily export that data to spreadsheets and to the public CVE database
* The ability to securely store embargoed CVE's and data, complete with user protection and data encryption</li>
* The ability to securely store embargoed CVEs and data, complete with user protection and data encryption
* Tools to help manage the ongoing influx of CVE's (around 1000 per month) so that expert time is not wasted and crucial CVE's are not lost </li>
* Tools to help manage the ongoing influx of CVEs (around 1000 per month) so that expert time is not wasted and crucial CVE's are not lost
* In general, a managed and automated tool set based on open source to replace splintered email threads and brittle manual systems</li>
* In general, a managed and automated tool set based on open source to replace splintered email threads and brittle manual systems


<br/>
<br/>
== Basic Introduction ==
== Basic introduction to the interface ==


* This demo's data set contains the integrated CVE, Defect, and Sustaining data for 'CVE-2015-*' to 'CVE-2018-*'
* <strong>Initial data set</strong>: This initial data set contains the integrated CVE, Defect, and Sustaining data for 'CVE-2015-*' to 'CVE-2018-*'
* The title bar "SRTool:Security Response Tool" will always link you back to the home page
* <strong>Home page</strong>: The title bar "SRTool:Security Response Tool" will always link you back to the home page
* In tables there are three ways to adjust the data set, and they can be used separately and/or together to get the best results
* <strong>Tables</strong>: In tables there are three ways to adjust the data set, and they can be used separately and/or together to get the best results
** <strong>The search bar</strong>: most of the text fields are searchable. Enter a value (like 'meltdown'), all records that have that string in those fields will appear
** <strong>The search bar</strong>: most of the text fields are searchable. Enter a value (like 'meltdown'), all records that have that string in those fields will appear
** <strong>The column sort</strong>: all column titles that appear in blue can be used to sort using that column. Click a second time to reverse the sort
** <strong>The column sort</strong>: all column titles that appear in blue can be used to sort using that column. Click a second time to reverse the sort
** <strong>The column filter</strong>: when you click on the 'cone' symbol in a column title you can select a filter based on that column's data
** <strong>The column filter</strong>: when you click on the 'cone' symbol in a column title you can select a filter based on that column's data
** At the bottom of each table you can set the page size and jump to diff pages
** At the bottom of each table you can set the page size and jump to diff pages
* The user access model is simulated in this demo
* <strong>User Model</strong>: The SRTool uses the Django User Access Model
** By default you can see that you are logged in as "Guest" in the top right corner
 
** If you click to log-in you can become a system admin, and can see the hidden management data tables
<br/>
** If you click again to log out, you will return to the 'Guest' account
== SRTool Record Types ==
* The top bar also includes general and page-specific tools actions, for example:
 
** <strong>Export</strong>: Generate and download an export or report
=== CVE Record ===
** <strong>New CVE or Vulnerability</strong>: Create a new custmer CVE, or create a new exploratory Vulnerability
 
** <strong>Fetch alt data</strong>: Fetch additional CVE data source data for a given CVE
* A CVE record is the representation of an upstream CVE that comes from MITRE, NIST, or other sources
* The data in a CVE record is intended to be pristine, however you can superimpose local edits to the CVE records to fix upstream errors
* You can create "local" CVEs for issues that do not yet have a formal CVE number
 
=== Vulnerability Record ===
 
* A "Vulnerability" is a SRTool record that tracks a given issue across the orgainzation's products and releases
* It normally tracks a single CVE, but it can also attach to multiple CVEs that may be duplicates or overlaps
* Pertinate data like patches, reproducers, or documents can be attached and thus shared
* A Vulnerability can be created without a CVE, in case the CVE does not yet exist or is currently embargoed
 
=== Investigation Record ===
 
* An "Investigation" is a SRTool record that tracks a given Vulnerability to a specific product and defect
* It normally attaches to a single defect, but it can also be attached to multiple defects in case (for example) the vulnerability is broken across several functional teams (e.g. kernel, user space, hardward, ...)
* Pertinate data like patches, reproducers, or documents can be attached and thus shared
* An Investigation can be created without a defect, in case the issue is still being investigated or is currently embargoed from the public defect database
 
=== Defect Record ===
 
* A "Defect" is the representation of the organization’s defect (Jira, Bugzilla)
* It connects to a CVE via the parent Investigation record and Vulnerability record
 
=== Overview of the SRTool Records ===
 
Here is a picture of the high level SRTool record structure:
 
[[File:Records_Packages_under_SRTool.png|border|SRTool Record Structure]]
 


<br/>
<br/>
== Basic Records Objects ==


=== CVE's ===
== Usage Guide ==
** The CVE page is based on the NIST public page, and includes the V3 and V2 severities information, download links, and CPE's
 
** There are tabs to see (a) the original NIST source data, (b) alternate CVE sources, and (c) SRTool edits (if added)
=== Working with CVEs ===
** At the top is a place for the internal tags to help lookups and track status
 
** At the top is a place to see the publishing state. It can include future dates, plus a "Publish Now" button
* The CVE page is based on the NIST public page, and includes the V3 and V2 severities information, download links, and CPEs
** The "New CVE" link createa a new custom local CVE record
* There are tabs to see (a) the original NIST source data, (b) alternate CVE sources, and (c) SRTool edits (if added)
** The "Fetch alt data" link adds Mitre, Debian, and other data to this CVE
* At the top is a place for the internal tags to help lookups and track status
** The "Export" link provides CVE specific reports
* At the top is a place to see the publishing state. It can include future dates, plus a "Publish Now" button
* The "New CVE" link createa a new custom local CVE record
* The "Fetch alt data" link adds Mitre, Debian, and other data to this CVE
* The "Export" link provides CVE specific reports


=== Vulnerabilities ===
=== Working with Vulnerabilities ===
** Vulnerability records track the <strong>overall status</strong> of CVE (or a group of tightly related CVE's)
* Vulnerability records track the <strong>overall status</strong> of CVE (or a group of tightly related CVEs)
** Multiple related CVE's can be attached
* Multiple related CVE's can be attached
** Multiple Investigations can be attached, one per product
* Multiple Investigations can be attached, one per product
** Comments and attachments can be added by logged-in users (for traceability)
* Comments and attachments can be added by logged-in users (for traceability)
** Users can sign up for change notification emails
* Users can sign up for change notification emails
** Vulnerabilities can be public, or locked to an invitation-only list of users
* Vulnerabilities can be public, or locked to an invitation-only list of users
** The "Edit Status ..." button allow changes to the fields like the status, priority, comments
* The "Edit Status ..." button allow changes to the fields like the status, priority, comments
** The "Create Notification..." button is for notifying owners of status changes for the record
* The "Create Notification..." button is for notifying owners of status changes for the record
** The "Delete" button is for deleting this record
* The "Delete" button is for deleting this record
** The "Add product ..." button is for attaching a product and creating a respective Investigation record
* The "Add product ..." button is for attaching a product and creating a respective Investigation record
** The "New Vulnerabilities" link createa a new vulnerability record
* The "New Vulnerabilities" link createa a new vulnerability record
** The "Export" link provides Vulnerability specific reports
* The "Export" link provides Vulnerability specific reports


=== Investigations ===
=== Working with Investigations ===
** Investigation records track the status of a CVE for a <strong>given product</strong>
* Investigation records track the status of a CVE for a <strong>given product</strong>
** Multiple defect links can be attached
* Multiple defect links can be attached
** Comments and attachments can be added by logged-in users
* Comments and attachments can be added by logged-in users
** Users can sign up for change notification emails
* Users can sign up for change notification emails
** Investigation can be public, or locked to a controlled list of users
* Investigation can be public, or locked to a controlled list of users
** The "Edit Status ..." button allow changes to the fields like the status, priority, comments
* The "Edit Status ..." button allow changes to the fields like the status, priority, comments
** The "Create Notification..." button is for notifying owners of status changes for the record
* The "Create Notification..." button is for notifying owners of status changes for the record
** The "Delete" button is for deleting this record
* The "Delete" button is for deleting this record
** The "Export" link provides Investigation specific reports
* The "Export" link provides Investigation specific reports


=== Defects ===
=== Working with Defects ===
** This table lists all of the defects being tracked by the Vulnerabilities and Investigations
* This table lists all of the defects being tracked by the Vulnerabilities and Investigations
** A quick status overview of the defects is provided
* A quick status overview of the defects is provided
** A quick summary page per defect is provided, with a link to the actual defect
* A quick summary page per defect is provided, with a link to the actual defect


=== Products ===
=== Working with Products ===
** Products tracked in this tool
* The Products page shows the organization's products that are attached to the SRTool
** Access to each product's Vulnerabilities, Investigations, and Defects
* Links are provided to view the product's Vulnerabilities, Investigations, and Defects


=== Package CPE's ===
=== Working with User Accounts ===
** This table tracks the packages that have been identified as vulnerable
** It also maps this package to the affected CVE's, Vulnerabilities, Investigations, and finally the related defects
** This data can help assist in CVE triage and risk analysis


=== CWE's ===
* By default you will be logged in as an anonymous "Guest"
** The 'Common Weakness Enumerations' (CWE)  found in the vulnerable CVE records
* Click log-in in the top bar:
** These fundamental weaknesses are also tracked in this table to the related CVE's
** Select to log in with your credentials
** Select to create your own Guest account
* When logged in, click your user name in the top bar to:
** Select to log out. This will return you to the anonymous 'Guest' account
** Select to edit your account settings
** Select to edit your password

Latest revision as of 23:41, 24 January 2019


This page summarizes the Security Response Tool (SRTool) user documentation.


Goals

  • A common system to track and share security issues, combining community CVEs
  • A simple yet flexible interface for reporting and exploring the security issues
  • A place to upload and share attachments, including patches, fixes, emails, and documents
  • The ability to generate accurate and up-to-date reports and exports
    • Status on a given CVE and its defects, for a specific product or for all affect products
    • Compliance reports on sensitive CVEs, for example the chain of events and who-knew-what-when
    • Status of each product, for the related CVE defects Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when
    • Ability to easily export that data to spreadsheets and to the public CVE database
  • The ability to securely store embargoed CVEs and data, complete with user protection and data encryption
  • Tools to help manage the ongoing influx of CVEs (around 1000 per month) so that expert time is not wasted and crucial CVE's are not lost
  • In general, a managed and automated tool set based on open source to replace splintered email threads and brittle manual systems


Basic introduction to the interface

  • Initial data set: This initial data set contains the integrated CVE, Defect, and Sustaining data for 'CVE-2015-*' to 'CVE-2018-*'
  • Home page: The title bar "SRTool:Security Response Tool" will always link you back to the home page
  • Tables: In tables there are three ways to adjust the data set, and they can be used separately and/or together to get the best results
    • The search bar: most of the text fields are searchable. Enter a value (like 'meltdown'), all records that have that string in those fields will appear
    • The column sort: all column titles that appear in blue can be used to sort using that column. Click a second time to reverse the sort
    • The column filter: when you click on the 'cone' symbol in a column title you can select a filter based on that column's data
    • At the bottom of each table you can set the page size and jump to diff pages
  • User Model: The SRTool uses the Django User Access Model


SRTool Record Types

CVE Record

  • A CVE record is the representation of an upstream CVE that comes from MITRE, NIST, or other sources
  • The data in a CVE record is intended to be pristine, however you can superimpose local edits to the CVE records to fix upstream errors
  • You can create "local" CVEs for issues that do not yet have a formal CVE number

Vulnerability Record

  • A "Vulnerability" is a SRTool record that tracks a given issue across the orgainzation's products and releases
  • It normally tracks a single CVE, but it can also attach to multiple CVEs that may be duplicates or overlaps
  • Pertinate data like patches, reproducers, or documents can be attached and thus shared
  • A Vulnerability can be created without a CVE, in case the CVE does not yet exist or is currently embargoed

Investigation Record

  • An "Investigation" is a SRTool record that tracks a given Vulnerability to a specific product and defect
  • It normally attaches to a single defect, but it can also be attached to multiple defects in case (for example) the vulnerability is broken across several functional teams (e.g. kernel, user space, hardward, ...)
  • Pertinate data like patches, reproducers, or documents can be attached and thus shared
  • An Investigation can be created without a defect, in case the issue is still being investigated or is currently embargoed from the public defect database

Defect Record

  • A "Defect" is the representation of the organization’s defect (Jira, Bugzilla)
  • It connects to a CVE via the parent Investigation record and Vulnerability record

Overview of the SRTool Records

Here is a picture of the high level SRTool record structure:

SRTool Record Structure



Usage Guide

Working with CVEs

  • The CVE page is based on the NIST public page, and includes the V3 and V2 severities information, download links, and CPEs
  • There are tabs to see (a) the original NIST source data, (b) alternate CVE sources, and (c) SRTool edits (if added)
  • At the top is a place for the internal tags to help lookups and track status
  • At the top is a place to see the publishing state. It can include future dates, plus a "Publish Now" button
  • The "New CVE" link createa a new custom local CVE record
  • The "Fetch alt data" link adds Mitre, Debian, and other data to this CVE
  • The "Export" link provides CVE specific reports

Working with Vulnerabilities

  • Vulnerability records track the overall status of CVE (or a group of tightly related CVEs)
  • Multiple related CVE's can be attached
  • Multiple Investigations can be attached, one per product
  • Comments and attachments can be added by logged-in users (for traceability)
  • Users can sign up for change notification emails
  • Vulnerabilities can be public, or locked to an invitation-only list of users
  • The "Edit Status ..." button allow changes to the fields like the status, priority, comments
  • The "Create Notification..." button is for notifying owners of status changes for the record
  • The "Delete" button is for deleting this record
  • The "Add product ..." button is for attaching a product and creating a respective Investigation record
  • The "New Vulnerabilities" link createa a new vulnerability record
  • The "Export" link provides Vulnerability specific reports

Working with Investigations

  • Investigation records track the status of a CVE for a given product
  • Multiple defect links can be attached
  • Comments and attachments can be added by logged-in users
  • Users can sign up for change notification emails
  • Investigation can be public, or locked to a controlled list of users
  • The "Edit Status ..." button allow changes to the fields like the status, priority, comments
  • The "Create Notification..." button is for notifying owners of status changes for the record
  • The "Delete" button is for deleting this record
  • The "Export" link provides Investigation specific reports

Working with Defects

  • This table lists all of the defects being tracked by the Vulnerabilities and Investigations
  • A quick status overview of the defects is provided
  • A quick summary page per defect is provided, with a link to the actual defect

Working with Products

  • The Products page shows the organization's products that are attached to the SRTool
  • Links are provided to view the product's Vulnerabilities, Investigations, and Defects

Working with User Accounts

  • By default you will be logged in as an anonymous "Guest"
  • Click log-in in the top bar:
    • Select to log in with your credentials
    • Select to create your own Guest account
  • When logged in, click your user name in the top bar to:
    • Select to log out. This will return you to the anonymous 'Guest' account
    • Select to edit your account settings
    • Select to edit your password