Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
On this page

Show all

KooGallery Product Security Review Standards 3.0

Updated on 2025-01-17 GMT+08:00

Sellers are responsible for security vulnerabilities in their released products, including any resulting consequences. The following table lists the specific standards.

Item

KooGallery Product Security Review Standards 3.0

Access control

Isolate users from each other to prevent unauthorized access to resources of other users.

Limit roles, functions, services, and network ports to the minimum necessary to save space and reduce attack surfaces.

Provide authentication mechanisms for man-machine interfaces (MMIs) for system management and machine-to-machine (M2M) interfaces across public networks. The interfaces for which standard protocols do not define any access authentication mechanism are excluded.

Security hardening

Before product release, run vulnerability scanning tools. Provide solutions or workarounds for high-risk vulnerabilities (CVSS score 7.0 or higher).

Application security

Check user permission for each access request that requires authorization and perform the final authentication only on the server.

Use random session IDs for web applications and generate a new session on successful authentication.

Product security

Prohibit functions that allow bypassing system security mechanisms (such as authentication, permission control, and logging) when accessing the system or data.

Prohibit malware. Before product release, run proven antivirus software to scan for viruses, Trojan horses, or malicious programs.

Prohibit software with backdoor access.

Do not run processes that provide services externally or can be remotely accessed as root or equivalently authorized accounts.

Encryption

Use open-source-certified algorithms. Use cryptographically secure random numbers in password algorithms.

Data protection

Do not store sensitive data in public object storage buckets or in plaintext. Encrypt such data and control access to it. Sensitive data includes but is not limited to authentication credentials (such as passwords and dynamic tokens), bank accounts, and service keys.

Over public networks, transfer sensitive data using secure channels or encrypt it before transmission, unless otherwise specified in standard protocols.

Do not display authentication credentials in plaintext in logs, debugging information, and error messages stored in the system.

System security

Use system O&M passwords that meet complexity requirements.

A password must meet the following requirements:

1. At least eight characters

2. At least two types of the following characters:

- Lowercase letters

- Uppercase letters

- Digits

- Spaces and special characters `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

3. Different from the account name

Record management-plane user activities and operation instructions affecting the system in logs to support follow-up audits. Record user ID, time, event type, names of resources accessed, IP address or ID of the client initiating the access, and access result. Control access to logs and prohibit manual deletion or modification of audit logs.

Prohibit hardcoded passwords (including binary codes and unmodifiable scripts) in software and allow users to change passwords. Upon initial system configuration, forcibly change default passwords of all management accounts that can be accessed externally. Prohibit default permissions from accessing customer running instances.

Use clear user permission management. New accounts cannot by default be assigned permissions, only a role with the minimum permissions necessary.

Privacy protection

Provide users with a privacy statement before collecting and processing their personal data. The privacy statement covers personal data types, processing purposes, retention period, storage location, and your contact information.

Obtain user consent before collecting sensitive personal data, such as biometric features, identity information, financial accounts, and usage tracks.

Collect only the personal data required for service processing. Data types and processing purposes must be as stated in the privacy statement or product documentation.

Set a retention period of personal data for service processing. Delete or anonymize personal data after this period.

Provide a way for users to view, update, export, and delete their personal data.

Provide security functions (such as authentication, encryption, permissions, and logging) for personal data.

Obtain separate user consent to share their personal data with a third party. Stop data sharing when users withdraw consent.

Obtain separate user consent or sign a data transfer agreement with transfer parties for cross-border transfer of personal data.

Obtain separate user consent and make rejection/withdrawal convenient for using personal data in automatic decisions, personalized recommendations, profiling, and marketing.

Data security

Comply with data security laws and regulations in your country or region throughout the data processing lifecycle. Declare, archive, and report security risks/incidents of important and core data according to Data Security Law of the People's Republic of China.

Specify your responsibilities and obligations for customer data protection, as well as the purpose, scope, and usage duration, specify the data retention period and clearance method when customers unsubscribe from your services, and promise not to restore the cleared data by technical means in the service statement.

Specify the legality and authenticity of data sources of any data-related services you provide in the service statement.

Take security measures for Huawei Cloud and customers' data assets to prevent disclosure due to improper protection.

Do not use the data provided by Huawei Cloud beyond the purpose, scope, and period authorized by Huawei Cloud. Do not provide data related to Huawei Cloud to third parties.

If a data security incident, such as data breach, damage, and ransomware, occurs due to your reasons, take remedial measures immediately after detecting the incident, report the incident information and result according to regulatory requirements, and notify Huawei Cloud.

Integrity protection

Encrypt software/patches or use secure delivery to customers. Provide integrity verification such as hashing.

Lifecycle management

Do not use platforms, open-source components, or third-party components that reach End-of-Life (EOL) in the product.

O&M security

Do not use preset, empty, or weak passwords for interfaces connected to the public network.

Unless there are industry-compliant input restrictions, passwords must meet the following requirements:

1. At least eight characters

2. At least two types of the following characters:

- Lowercase letters

- Uppercase letters

- Digits

- Spaces and special characters `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

3. Different from the account name

Display a warning message for invalid passwords.

Comply with the Huawei Cloud KooGallery Partner Product Seller Agreement for vulnerability notification and fixing.

Do not open high-risk services to the public network. If this is unavoidable, take peripheral network security measures and describe them in the product documentation.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback