Security findings management in Kendo UI Library

7 posts, 2 answers
  1. Sujit
    Sujit avatar
    4 posts
    Member since:
    Oct 2013

    Posted 16 Sep 2015 Link to this post

    We have Kendo UI Professional lincese. With various security audits within our company, question has been raised regarding potential security vulnerabilities in third party libraries.

    Our question is how ​Kendo UI team manages security findings in the code? In other words, what is the reporting (to the customers) and response process for security vulnerability findings?

  2. Answer
    Sebastian
    Admin
    Sebastian avatar
    9934 posts

    Posted 17 Sep 2015 Link to this post

    Hello Sujit,

    By way of introduction, my name is Stefan Rahnev and I'm Product Manager for Kendo UI here at Telerik.

    The code base for our product is built with security in mind, and any potential security vulnerabilities we discover are investigated and addressed promptly. Having said that, we take any legit security vulnerability issue reports from clients very seriously, do our own validation and if confirmed, follow an incremental process to eliminate them in following product versions.

    Although we don't have a specialized notification system or a regular security bulletin enabled, we notify any affected parties when certain security-related issues are fixed by our team.

    I hope this information provides the details you inquired about.

    Kind regards,
    Stefan Rahnev,
    Product Manager, Kendo UI
    Telerik

     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  3. Sujit
    Sujit avatar
    4 posts
    Member since:
    Oct 2013

    Posted 17 Sep 2015 in reply to Sebastian Link to this post

    Thanks Stefan for your response. I understand from your reply that Kendo UI team notifies affected ​parties when security-related issues are fixed. ​Does Kendo UI team also notify customers when ​team validates and confirms ​the finding of potential security vulnerability in particular product version?
  4. Sebastian
    Admin
    Sebastian avatar
    9934 posts

    Posted 18 Sep 2015 Link to this post

    By 'any affected parties' I meant customers as well, Sujit. Fixes related to potential security vulnerabilities can also be tracked via our official release history logs, accessible here.

    Regards,
    Stefan Rahnev,
    Product Manager, Kendo UI
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  5. Sujit
    Sujit avatar
    4 posts
    Member since:
    Oct 2013

    Posted 18 Sep 2015 in reply to Sebastian Link to this post

    I am sorry Stefan, I think I did not do a good job asking what I am looking for. Let me give it a one more try. Let's start with what I understood so far -

    1. For any security vulnerability finding, whether it is coming from customers or found internally, Kendo UI team does validate and confirms it with thourough investigation.

    2. When security vulnerability is fixed/addressed, Kendo UI team notifies all affected parties including customers.

    3. Kendo UI team does not have a specialized notification system or a regular security bulletin enabled.

    4. Fixes related to potential security vulnerabilities can be tracked via Kendo UI official release history logs.

    Now what I am not clear on is that ​after #1 (security vulnerability is validated and confirmed) and before #2 (security vulnerability addressed/fixed and customers are notified), does Kendo UI team notifies all affected parties including customers that we have confirmed security vulnerability in particular release and it will be addressed in next release?

  6. Answer
    T. Tsonev
    Admin
    T. Tsonev avatar
    2770 posts

    Posted 24 Sep 2015 Link to this post

    Hello,

    My name is Tsvetomir and I'm part of the Kendo UI team. I'll try to address your questions below.

    Your understanding is correct on all four points.
    As for your question, currently we do not notify customers of security bugs that are not yet fixed.

    I'm not sure what would be the right approach here.
    Disclosing details about exploitable vulnerabilities before actually fixing them will just extend the window of vulnerability.

    That said, security issues are a rare occurrence and usually can be traced down to a particular user setup.
    The framework is passive for the most part and needs a specific configuration to issue requests, output data and so on.

    For example, using a template that does not escape HTML "#= dataItem.evil " vs a one that does - "#: dataItem.evil #".

    I hope this helps.

    Regards,
    T. Tsonev
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  7. Sujit
    Sujit avatar
    4 posts
    Member since:
    Oct 2013

    Posted 24 Sep 2015 in reply to T. Tsonev Link to this post

    Thanks Tsvetomir. That completes the information I was looking for.
Back to Top