by Jake Kouns, 2010-04-29 20:40:33 UTCIntroducing Cloutage
“A wise man changes his mind, a fool never.†- Spanish Proverb
Open Security Foundation is a 501(c)(3) non-profit public organization founded and operated by information security enthusiasts. OSF runs a project called OSVDB that provides accurate and unbiased information about security vulnerabilities in computerized equipment. From the creation of the project there was detailed conversation around what information should be included in the project and a specific topic that was a challenge to address was what we termed "Site Specific" vulnerabilities. Site specific vulnerabilities are those that are not detailing a weakness in a particular piece of software that a customer might download and install, but rather the exact location of an online service where that vulnerability exists. Instead of explaining how to pick a lock if you happened to find one, a site specific vulnerability would in theory direct you to someone's home and give you directions how to break in. OSF officers in January of 2006, explained publicly that the OSVDB project aimed to provide useful information to help improve the level of security for the community, and they believed that a site specific vulnerability did not fall in that category currently. The goal was not to provide the address of a single family home and provide information to help someone break the lock. If the vulnerability was in a company website or an online service which was not able to be downloaded and installed by an individual it was not deemed eligible for inclusion. While we still believe this was the right decision at the time it did not come without some pain as many OSF officers/contributors personally found it extremely interesting and believed that this data was extremely valuable.
We are now at a point where there is a real difference between Site Specific Vulnerabilities and Cloud Services. If we once again look at our real estate example; think of it this way, Site Specific vulnerabilities are those that are in single family homes and a Cloud Service are those that are multi-tenant. When multiple tenants rely on the security of one lock it changes the risk exposure entirely. With the increasing move to the Cloud it is critical to understand the risks and how Cloud Solution Providers are protecting their customers. With its distinct advantages, more and more organizations are relying on the Cloud and online services and will find great value in knowing about an issue with their provider. The fact that many businesses are putting their critical data and production services in the Cloud, suggests that vulnerabilities in the Cloud are just as dangerous as vulnerabilities in the software deployed on their own network.
OSF is now proud to introduce a new project called Cloutage (the site is located at cloutage.org) that will bring enhanced visibility and transparency to Cloud security.
Cloutage's goal is to provide unbiased knowledge and security resources on Cloud Computing so that organizations properly manage information security risks. Cloutage captures data about incidents affecting cloud services in several forms including vulnerabilities that affect the confidentiality and integrity of customer data, automatic update failures, data loss, hacks and outages that impact service availability. Data is acquired from verifiable media resources and is also open for community participation based on anonymous user submissions. Cloud Solution Providers are listed on the website and the community may provide comments and ratings based on their experiences. Cloutage also features an extensive news service, mailing lists and links to organizations focused on the secure advancement of cloud computing.
There are many new features in the works and we are actively looking for people that would like to blog about cloud security. If you are interested in helping the project please contact us at stewards at cloutage.org.