KooGallery Product Security Review Standards 3.0

Access control

Isolate users from each other to prevent unauthorized access to resources of other users.

Limit roles, functions, services, and network ports to the minimum necessary to save space and reduce attack surfaces.

Provide authentication mechanisms for man-machine interfaces (MMIs) for system management and machine-to-machine (M2M) interfaces across public networks. The interfaces for which standard protocols do not define any access authentication mechanism are excluded.

Security hardening

Before product release, run vulnerability scanning tools. Provide solutions or workarounds for high-risk vulnerabilities (CVSS score 7.0 or higher).

Application security

Check user permission for each access request that requires authorization and perform the final authentication only on the server.

Use random session IDs for web applications and generate a new session on successful authentication.

Product security

Prohibit functions that allow bypassing system security mechanisms (such as authentication, permission control, and logging) when accessing the system or data.

Prohibit malware. Before product release, run proven antivirus software to scan for viruses, Trojan horses, or malicious programs.

Prohibit software with backdoor access.

Do not run processes that provide services externally or can be remotely accessed as root or equivalently authorized accounts.

Encryption

Use open-source-certified algorithms. Use cryptographically secure random numbers in password algorithms.

Data protection

Do not store sensitive data in public object storage buckets or in plaintext. Encrypt such data and control access to it. Sensitive data includes but is not limited to authentication credentials (such as passwords and dynamic tokens), bank accounts, and service keys.

Over public networks, transfer sensitive data using secure channels or encrypt it before transmission, unless otherwise specified in standard protocols.

Do not display authentication credentials in plaintext in logs, debugging information, and error messages stored in the system.

System security

Use system O&M passwords that meet complexity requirements.

A password must meet the following requirements:

1. At least eight characters

2. At least two types of the following characters:

- Lowercase letters

- Uppercase letters

- Digits

- Spaces and special characters `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

3. Different from the account name

Record management-plane user activities and operation instructions affecting the system in logs to support follow-up audits. Record user ID, time, event type, names of resources accessed, IP address or ID of the client initiating the access, and access result. Control access to logs and prohibit manual deletion or modification of audit logs.

Prohibit hardcoded passwords (including binary codes and unmodifiable scripts) in software and allow users to change passwords. Upon initial system configuration, forcibly change default passwords of all management accounts that can be accessed externally. Prohibit default permissions from accessing customer running instances.

Use clear user permission management. New accounts cannot by default be assigned permissions, only a role with the minimum permissions necessary.

Privacy protection

Provide users with a privacy statement before collecting and processing their personal data. The privacy statement covers personal data types, processing purposes, retention period, storage location, and your contact information.

Obtain user consent before collecting sensitive personal data, such as biometric features, identity information, financial accounts, and usage tracks.

Collect only the personal data required for service processing. Data types and processing purposes must be as stated in the privacy statement or product documentation.

Set a retention period of personal data for service processing. Delete or anonymize personal data after this period.

Provide a way for users to view, update, export, and delete their personal data.

Provide security functions (such as authentication, encryption, permissions, and logging) for personal data.

Obtain separate user consent to share their personal data with a third party. Stop data sharing when users withdraw consent.

Obtain separate user consent or sign a data transfer agreement with transfer parties for cross-border transfer of personal data.

Obtain separate user consent and make rejection/withdrawal convenient for using personal data in automatic decisions, personalized recommendations, profiling, and marketing.

Data security

Comply with data security laws and regulations in your country or region throughout the data processing lifecycle. Declare, archive, and report security risks/incidents of important and core data according to Data Security Law of the People's Republic of China.

Specify your responsibilities and obligations for customer data protection, as well as the purpose, scope, and usage duration, specify the data retention period and clearance method when customers unsubscribe from your services, and promise not to restore the cleared data by technical means in the service statement.

Specify the legality and authenticity of data sources of any data-related services you provide in the service statement.

Take security measures for Huawei Cloud and customers' data assets to prevent disclosure due to improper protection.

Do not use the data provided by Huawei Cloud beyond the purpose, scope, and period authorized by Huawei Cloud. Do not provide data related to Huawei Cloud to third parties.

If a data security incident, such as data breach, damage, and ransomware, occurs due to your reasons, take remedial measures immediately after detecting the incident, report the incident information and result according to regulatory requirements, and notify Huawei Cloud.

Integrity protection

Encrypt software/patches or use secure delivery to customers. Provide integrity verification such as hashing.

Lifecycle management

Do not use platforms, open-source components, or third-party components that reach End-of-Life (EOL) in the product.

O&M security

Do not use preset, empty, or weak passwords for interfaces connected to the public network.

Unless there are industry-compliant input restrictions, passwords must meet the following requirements:

1. At least eight characters

2. At least two types of the following characters:

- Lowercase letters

- Uppercase letters

- Digits

- Spaces and special characters `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

3. Different from the account name

Display a warning message for invalid passwords.

Comply with the Huawei Cloud KooGallery Partner Product Seller Agreement for vulnerability notification and fixing.

Do not open high-risk services to the public network. If this is unavoidable, take peripheral network security measures and describe them in the product documentation.