Re: [mosquitto-dev] Security audit for Eclipse Mosquitto

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] Security audit for Eclipse Mosquitto

From: <terryatsnort@xxxxxxxxxxx>
Date: Wed, 21 Sep 2022 21:19:21 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2tamoPffShvttOaUbM9yBIGO7SiaDTz7PUKTEg7uJzA=; b=ko/qXNkkXNW1NdvRl2chEBNvdsZtPEuIG5/YnrifB998ODkF1mQ3bHTq7rmSOX3PlkfesbP0K/u4P6L1fngoMHDr1dd/He5VEd0sylLcjLUYQIMxBNuj/H8vrQaETiB0H2XaG1c1xKiFbnrg++/wdtmxkzI/7Pdo9DgBcHH/WNnMhJ3i1lUQfSFqwlmSBFH8OeD53Qj6EFGZou59HzljqGmnlMGiQPnnaqBF/v4mZqOhLSaT+yV7KAH9WuD0d5MBimCUgWY/D4oM6XY/hDLmvs9EZcZHLiulQqKaf3BVn34zE9KvC6yKh+9sp/Ox05ETUxKpFNKTMuClE2ofRx4BXg==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=msV582CEM9LN5gJH3BbboXFam06QifbQxNqssO172edSGGWHMSMyti98AblDeTKSdJ6jSM9sVhBKa6g+HJgH3j0fJNcYj+G1NcmDlYqPtOu46omYNX0wx2FQC9mJo6mxmQ5BP9ioSyIe+eB6dzAuw849qnRDGIaT6l4fR+cdGyXhGr8dRqJXlUy9VysPRKf9jtSPvdBd/V1TO9TE/eF4gBdzrkWVrXo5e+PpW8mqwxxoNt9XMClbqcMoUfkY6FCQURq+snUuwY8eRZ1AnuCHNcC6Q/VwxzP7IJIF+VhRHx2dKtmAecxQn7UQNpmd0spZjCbiphpyEYKtKZ8NAg2zJQ==
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>
Msip_labels:
Thread-index: AQHYy4zMqptkuwn2tUqxvkCYs6cU+63pDBChgAD7G4CAAF3kOw==
Thread-topic: [mosquitto-dev] Security audit for Eclipse Mosquitto

Hi Roger and Greg,

Thanks for the information.

Based on other reports from OSTIF, I believe that they perform the following tasks for a general project:

source code review

Statice code analyzer is used

Build process review
installation

checking documents and default configuration

Threat modeling
pen testing

With my very limited understanding of Mosquitto, it might be useful to ask OSTIF for the following items at this stage:

manual source code review
Threat modeling

certificate/private key management on Windows platform

Installation documents and default configuration
Pen testing
Dependency of OpenSSL
How could we minimize the need to follow up the frequent update from OpenSSL

Just my two cents.

Thanks and Regards,

Terry

From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Roger Light <roger@xxxxxxxxxx>
Sent: Thursday, September 22, 2022 1:30 AM
To: Greg Troxel <gdt@xxxxxxxxxx>
Cc: mosquitto-dev eclipse <mosquitto-dev@xxxxxxxxxxx>
Subject: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto

Hi Greg,

> * Security of the build pipeline

Is this about a specific CI setup, or about the scripts assuming they
are run by end users?

That entire list was suggestions made by the Eclipse Security team, nothing more. Building up release pipelines is something that I'm working on slowly in the background, but there's nothing on the project side that would merit an audit at the moment.

> * Search for use-after-free and/or buffer overflow
> * Usage of OpenSSL/cJSON/c-ares

I agree that OpenSSL usage is a reasonable thing to look at.

I would think that an organization that does audits would be able to run
their automated tools more or less en masse and then present results,
which are perhaps overly verbose and too false-positivy, and then spend
labor hours on figuring out what matters.

The methodology for the OSTIF audits is to focus on a specific area of interest to look at in depth, rather than apply a broad brush approach as you describe. That's why I'm interested in opinions on what the community think is important in scope.

Regards,

Roger

Follow-Ups:
- Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Greg Troxel
- Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Roger Light

References:
- [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Roger Light
- Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Greg Troxel
- Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Roger Light

Prev by Date: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Next by Date: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Previous by thread: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Next by thread: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Index(es):
- Date
- Thread

Breadcrumbs