Hi Roger and Greg,
Thanks for the information.
Based on other reports from OSTIF, I believe that they perform the following tasks for a general project:
- source code review
- Statice code analyzer is used
- Build process review
- installation
- checking documents and default configuration
- Threat modeling
- pen testing
With my very limited understanding of Mosquitto, it might be useful to ask OSTIF for the following items at this stage:
- manual source code review
- Threat modeling
- certificate/private key management on Windows platform
- Installation documents and default configuration
- Pen testing
- Dependency of OpenSSL
How could we minimize the need to follow up the frequent update from OpenSSL
Just my two cents.
Thanks and Regards,
Terry
From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Roger Light <roger@xxxxxxxxxx>
Sent: Thursday, September 22, 2022 1:30 AM
To: Greg Troxel <gdt@xxxxxxxxxx>
Cc: mosquitto-dev eclipse <mosquitto-dev@xxxxxxxxxxx>
Subject: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
> * Security of the build pipeline
Is this about a specific CI setup, or about the scripts assuming they
are run by end users?
That entire list was suggestions made by the Eclipse Security team, nothing more. Building up release pipelines is something that I'm working on slowly in the background, but there's nothing on the project side that would merit an audit at the moment.
> * Search for use-after-free and/or buffer overflow
> * Usage of OpenSSL/cJSON/c-ares
I agree that OpenSSL usage is a reasonable thing to look at.
I would think that an organization that does audits would be able to run
their automated tools more or less en masse and then present results,
which are perhaps overly verbose and too false-positivy, and then spend
labor hours on figuring out what matters.
The methodology for the OSTIF audits is to focus on a specific area of interest to look at in depth, rather than apply a broad brush approach as you describe. That's why I'm interested in opinions on what the community think is important in scope.
Regards,
Roger
|