| Re: [mosquitto-dev] Security audit for Eclipse Mosquitto |
<terryatsnort@xxxxxxxxxxx> writes: > Based on other reports from OSTIF, I believe that they perform the following tasks for a general project: > > * source code review > * Statice code analyzer is used > * Build process review > * installation > * checking documents and default configuration > * Threat modeling > * pen testing Sounds entirely reasonable. > With my very limited understanding of Mosquitto, it might be useful to ask OSTIF for the following items at this stage: > > 1. manual source code review > 2. Threat modeling > * certificate/private key management on Windows platform Why do you specifically mention Windows? This is an open source project and I'd therefore expect that if anything, work would lean to open source operating systems (GNU/Linux, *BSD, illumos). But also, I'd expect most serious deployments to be on POSIXy systems -- but then I am often surprised.... > 3. Installation documents and default configuration > 4. Pen testing > 5. Dependency of OpenSSL > How could we minimize the need to follow up the frequent update from OpenSSL Do you mean the every few years need to change the code to keep up with API changes? Or are you thinking of mosquitto as producing binary releases, but somehow statically linking OpenSSL, and therefore a perceived need to regenerate them everytime there is a patch-level OpenSSL release? Or do you mean something else?
Attachment:
signature.asc
Description: PGP signature