|
IDR status and next steps below. C CVE Program Volunteer IDR Testers (and AWG members) In mid August, the Secretariat notified the CVE Community that the new CVE ID Request (IDR) service would soon be available for community examination and testing. The community testing will provide additional input to help us verify that IDR functions properly and will offer us areas where we need augment/modify the IDR. It also affords the community an opportunity to test their client-side code while we build our "assurance" case for operational deployment. Those on "To" line have expressed an interest to examine and test the service from your locations. (Thank you for volunteering!!) This note serves as an update to our release/deployment effort to (a) provide you the schedule for making the code available to you (b) give you details on how you can examine, interface and test the service so that you can plan your time accordingly. Right now, we are internally testing the ID Reservation (IDR) code with unit tests as part of the development and integration tests with the Content Production System (CPS), which includes both CNA and Secretariat functions. The current schedule calls for us to have this deployed to a testing environment for you to access (see item b below) on September 26 (which is this Saturday). You will be able to review all of the source code and unit tests as well execute tests against the RESTful API in an environment which will provide a "testing sandbox" comprising the IDR service and artificial data. Although it will be available on September 26 for you to examine, we suggest you plan to conduct your actual testing from September 29 – October 9. This will ensure that there are development personnel monitoring the communication channels to address your questions (Monday, September 28 is a MITRE "Holiday"). Of course, the source code will be available for download, review and evaluation of the IDR service on September 26. You will be able to access the IDR in two ways: (i) by downloading the source to evaluate, compile and execute locally or (ii) by interacting with the IDR API on AWS with your own client. As noted, the source code will be available on the current Github repository for downloading, examining and compiling in your local environment. You will be able to interact with the IDR API on AWS in two ways: (i) using Postman scripts that we have developed to exercise the IDR API or you can develop your own Postman scripts). ii) You can execute your own "code" as part of developing your own client. We will provide a complete set of links to the Github repository (if you already don't have it), the Postman Scripts as well as the AWS instance on Friday, 9/25. For the Community Testing effort we will be testing a system that is configured with "artificial data" (I.e., you will not be testing a “live” operational system). For testing “credentials” we will be providing a series of usernames and “secrets” for you to use to test the IDR interfaces and security policy enforcement mechanisms (within the constraints of the User Stories for IDR Phase 1). There will be two user roles from which you can initiate tests: a normal user role and a privileged role (identified by the *.mitre.org username) to test privileged interfaces). We would suggest that in the early part of the testing (e.g., September 26- October 3), the effort should focus on the functional aspects of the system while the latter part of the testing period (e.g., October 4-9) should focus on the IDR security policy enforcement (i.e., pen testing). We would also suggest that the penetration effort focus more on the IDR interface and less on the AWS environment (although AWS should be considered more in scope as we move to an operational environment). As you plan your testing effort, note that this is an implementation of IDR Phase 1 User Stories (located at the Github CVEProject/cse-services Issue page ) (filter on the "user story" tag). Please keep these functions in mind as you evaluate and test the system. Beginning on September 29, during the course of your evaluation and testing, MITRE developers will be available for discussion or questions in the follow manner: i)for near real time chat with the developers and others doing testing: gitter.im : ii) to engage the whole AWG community (along with the developers): AWG email list (): The developers will be prepared to answer questions and engage in discussion associated with the IDR source, IDR API, general behavior of the IDR and Postman scripts that they created. Unfortunately, they will not be in a position to discuss the specific build/execution environment (e.g., Docker issues) that you may have set up locally (should you choose to download, compile and execute your own instance). Please use this Github Issue Reporting Page to report any Bug Reports, Feature Requests or Security Vulnerabilities. To highlight that the feedback is based upon IDR Phase 1 Community Testing, tag your entry with "IDR Phase 1 Testing". Please note in your reporting which User Story this observations is associated with. On Friday, Sept 25, we will send out the final email to those on the "To" line of this emaill letting you know the following information so that you can commence testing: i.)Your assigned user names and "authorization" secret for the testing environment iii.)A URL for the Postman scripts to facilitate your remote testing For those in the AWG who wish to participate in the testing of the AWS IDR instance, if you are not on the "To" line of this message we do not have record of your interest to do so. Please respond to me () to express your interest so that you can be allocated username's and authorizations that we will send out tomorrow to facilitate for your testing. If you have not expressed an interest to test, you will not “by default” be sent username and authorization secrets. (Although you may still download and evaluate your own version locally). If you have any questions/comments feel free to respond to the AWG List or send them to me directly. Regards, Kris Britton |