Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[mosquitto-dev] Security audit for Eclipse Mosquitto
Dear all,

The Eclipse Foundation recently received financial support from the OpenSSF’s Alpha-Omega project to help Eclipse Foundation projects improve their security.

I have been asked by the security team at Eclipse if Mosquitto would like to have a security audit using these funds, and I think this is an excellent idea.

The audit would be done by OSTIF, who have already carried out audits on a fair number of open source projects.

The security audits focus on specific sub-component(s) of the project, with a scope decided by the project, rather than the project as a whole. This means that the first step is to define the scope of the audit. The security team has provided some suggestions:

* Security of the build pipeline
* Search for use-after-free and/or buffer overflow
* Usage of OpenSSL/cJSON/c-ares

My own opinion is that out of those, looking at OpenSSL usage would be the most beneficial. I think the memory usage is already well covered by Coverity Scan and valgrind based testing.

I would be very interested in other suggestions or thoughts if you have them.

I hope to be having a call with Mikaël Barbero, the head of security at Eclipse. I would be pleased to have community members join the call. I do not yet have the details of when that will be, but it is likely to be on a Tuesday or Thursday morning, UK time, possibly this coming Thursday. If you are interested in joining then please let me know.

Regards,

Roger

Back to the top