Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Security audit for Eclipse Mosquitto

Hi Roger and Greg,

Thanks for the information. 

Based on other reports from OSTIF, I believe that they perform the following tasks for a general project:
  • source code review
    • Statice code analyzer is used
  • Build process review
  • installation 
    • checking documents and default configuration
  • Threat modeling
  • pen testing 
With my very limited understanding of Mosquitto, it might be useful to ask OSTIF for the following items at this stage:
  1. manual source code review
  2. Threat modeling
    1. certificate/private key management on Windows platform
  3. Installation documents and default configuration
  4. Pen testing
  5. Dependency of OpenSSL
    How could we minimize the need to follow up the frequent update from OpenSSL
Just my two cents.

Thanks and Regards,
Terry


From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Roger Light <roger@xxxxxxxxxx>
Sent: Thursday, September 22, 2022 1:30 AM
To: Greg Troxel <gdt@xxxxxxxxxx>
Cc: mosquitto-dev eclipse <mosquitto-dev@xxxxxxxxxxx>
Subject: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
 
Hi Greg,

> * Security of the build pipeline

Is this about a specific CI setup, or about the scripts assuming they
are run by end users?

That entire list was suggestions made by the Eclipse Security team, nothing more. Building up release pipelines is something that I'm working on slowly in the background, but there's nothing on the project side that would merit an audit at the moment.
 
> * Search for use-after-free and/or buffer overflow
> * Usage of OpenSSL/cJSON/c-ares

I agree that OpenSSL usage is a reasonable thing to look at.

I would think that an organization that does audits would be able to run
their automated tools more or less en masse and then present results,
which are perhaps overly verbose and too false-positivy, and then spend
labor hours on figuring out what matters.

The methodology for the OSTIF audits is to focus on a specific area of interest to look at in depth, rather than apply a broad brush approach as you describe. That's why I'm interested in opinions on what the community think is important in scope.

Regards,

Roger

 

Back to the top