Tag-security: [Assessment] Keycloak

Created on 31 Mar 2020  路  34Comments  路  Source: cncf/tag-security

Project Name: Keycloak

Github URL: https://github.com/keycloak/keycloak

Website: https://keycloak.org

TOC Link: https://github.com/cncf/toc/issues/406 (sandbox)

Security Provider: yes (e.g. Is the primary function of the project to support the security of an integrating system?)

  • [x] Identify team

    • [x] Project security lead @bdaw

    • [x] Lead Security Reviewer @ashutosh-narkar

    • [x] 1 or more additional reviewer(s) @Krishan-Sharma, @Eriner, @TheFoxAtWork

    • [x] Declaration of reading of security reviewer guidelines and declaration of conflits (by each reviewer)

    • [x] Sign off by 2 chairs on reviewer conflicts (@JustinCappos in lieu of the chairs)

  • [x] Create slack channel (e.g. #sec-assess-projectname)
  • [x] Project lead provides draft document - see outline
  • [x] "Dumb question phase" Lead Security Reviewer asks clarifying questions
  • [x] Initial review
  • [ ] Presentation & discussion
  • [ ] Share draft findings with project
  • [ ] Assessment summary and doc checked into /assessments/projects/project-name
  • [ ] CNCF TOC presentation (if requested by TOC)
assessment

Most helpful comment

One of highlights which is worth to make is in the meantime Keycloak received a professional external Pen Testing from Cure53 which is captured here: https://cure53.de/pentest-report_keycloak.pdf

(This is highlighted in Self Assessment document as well)

All 34 comments

Project / Security Lead: Stian Thorgersen (github: @stianst)

Project self assesment document: https://docs.google.com/document/d/14IIGliP3BWjdS-0wfOk3l_1AU8kyoSiLUzpPImsz4R0/edit?usp=sharing

Keycloak has been submitting to CNCF late 2018 although has been impacted with process changes and lack of bandwidth from TOC side which led to stop new projects intake. As new process settled and after new TOC elections we would like to re approach CNCF Sandbox submission. With new process this requires CNCF SIG Security recommendation. Keycloak already has approached SIG Security mid 2019 although this has also been impacted with process evolution and lack of bandwidth at that time.

One of highlights which is worth to make is in the meantime Keycloak received a professional external Pen Testing from Cure53 which is captured here: https://cure53.de/pentest-report_keycloak.pdf

(This is highlighted in Self Assessment document as well)

@lumjjb: added to blocked? More details here?

From the project side I believe all initial steps are covered and awaiting additional asks or feedback from SIG Security to move forward. If there is anything in addition required I would be interested to know.

Hi @bdaw is there a toc issue link for keycloak that we can add to the reference? Thanks.

I would like to participate as a reviewer. Here's my conflict declaration:

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

Hello,

I am new to the security research area and do have some experience with security testing. I would like to participate as a security reviewer on this project. Since I don't have prior experience of doing a formal security review for CNCF projects, I am okay to participate through shadowing as well. Below is the conflicts declaration for me:

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

@lumjjb : Edited this to make soft conflict more visible

Okay, added @Krishan-Sharma and @ashutosh-narkar to the list.

Looking for a lead and 2-3 more reviewers!

I would like to participate as a reviewer. Here's my conflict declaration:

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - Yes
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

@lumjjb

I would like to participate as a reviewer. Here's my conflict declaration:

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

Okay, it looks like we're mostly missing the lead reviewer. Any volunteers? @ashutosh-narkar , do you qualify and if so do you have time?

@JustinCappos I haven't yet been a lead on any other assessment so it would be helpful to be a reviewer on this assessment before leading one. Hope that's fine.

Okay, I'll ask for volunteers tomorrow and see if we can get someone else. We've had good experience with a past project lead taking the lead on a review, so if you were willing to lead (if we can't find someone else), this is likely to be permitted.

Since the chairs are pre-occupied, I'll sign off on the reviewer conflict of interest forms.

I'm not able to spend enough time on this due to some work related commitments. So for now, I'll like to withdraw my name from list of reviewers for this assessment.

I'm not able to spend enough time on this due to some work related commitments. So for now, I'll like to withdraw my name from list of reviewers for this assessment.

@ashutosh-narkar Do you feel like you have enough people looking at this? Should we try to recruit someone else to help out?

@JustinCappos it would be helpful to have one more reviewer.

@JustinCappos it would be helpful to have one more reviewer.

I'll work on this.

My apologies as I too am unable to dedicate enough time on this security review due to pressing urgent work on my plate currently, and will need to withdraw my name to avoid holding back the team's assessment.

@TheFoxAtWork , you'd mentioned you would be willing to participate. If so, would you kindly list your conflict statement?

This would be my first assessment.

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

This would be my first assessment.

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

Great, I've added you.

Happy to help

Hard conflicts:

Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO

Soft conflicts:

Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO*
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO

*I oversee a team conducting research on this capability. It is not in use at this time.

@dshaw @ultrasaurus @pragashj , will you kindly sign off of on the reviewer conflict statements? (It should be very straightforward.)

For reference, Keycloak was covered in Oct 2018 in a TOC meeting. The video is here and the slides are here.

@JustinCappos: checking in on the status of this review? Thanks!

It's getting close. @ashutosh-narkar do you want to give a more detailed update?

We have been working closely with the Keycloak team on their self-assessment doc. We have gone through multiple rounds of questions/clarifications over the document and the Keycloak team has been very prompt in addressing the review team's comments. The review team submitted a list of consolidated recommendations on July 9th and the Keycloack team addressed them last week. We'll go over the doc again next week and if it looks good, we can move to the next stage of the assessment process.

@amye please let me know if you have any questions. Thanks

This issue has been automatically marked as inactive because it has not had recent activity.

@ashutosh-narkar is this all good yet? can we close this?

@lumjjb yes ! We have already closed this pull request.

Awesome! Closing this then! Thanks!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

TheFoxAtWork picture TheFoxAtWork  路  7Comments

MVrachev picture MVrachev  路  6Comments

lumjjb picture lumjjb  路  3Comments

justincormack picture justincormack  路  10Comments

ultrasaurus picture ultrasaurus  路  5Comments