[Last-Call] Secdir last call review of draft-ietf-opsawg-sbom-access-14

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Christian Huitema
Review result: Ready

I have reviewed the changes between draft-09, which I reviewed in September
2022, and draft-14, the most recent version.

The main concern expressed in my review was that "defense at scale" might also
enable "attack at scale". The authors were not entirely convinced that this
applies to their draft, because they "are discussing a discovery mechanism, and
that the mechanism itself does not provide access to the underlying data." The
authors reinforced this point by stating in the introduction that "the model is
a discovery mechanism, and on its own provides no access to the underlying
data."

The other counter argument was that there is a lot do be gained by disclosing
vulnerabilities, and that for most devices vulnerabilities can be deduced from
very simple and well known properties, such as the version of OpenWRT that is
run by a Wi-Fi router. That is true, but  my main concern was that having
information available on the device itself was tantamount to flashing a "hack
me now" sign. And I was specially concerned by having that information
published by default by otherwise unconfigured devices. This, the author did
fix. The paragraph in the security section now says:

   SBOMs provide an inventory of software.  If software is available to
   an attacker, the attacker may well already be able to derive this
   very same software inventory.  When this information resides on the
   endpoint itself, the endpoint SHOULD NOT provide unrestricted access
   by default.  Other servers that offer the data MAY restrict access to
   SBOM information using appropriate authorization semantics within
   HTTP. (Followed by description of access control methods.)

The "SHOULD NOT" does address my recommendation, and also mitigates somewhat
the risk of having a server running on an open port on the device. I am also
happy that the ambiguous text about "some of the readable data nodes ...
considered sensitive or vulnerable in some network environments" has been
removed.

I am still concerned that the paragraph starting "SBOMs provide an inventory of
software", as written, only hints at the potential attack, without describing
it. But life is full of such little dissatisfaction...



-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux