Re: [threadx] Regarding cybersecurity-related information for Eclipse Th

[Frédéric Desbiens <frederic.desbiens@xxxxxxxxxxxxxxxxxxxxxx>]

Hi Yoji.

Thank you for your email. I appreciate your interest in Eclipse ThreadX and its security certifications.

Before addressing your questions about ThreadX's security certifications, I would like to highlight the Foundation's approach to security. 

The Eclipse Foundation supports its 425+ open source projects and thousands of committers by simplifying security management and dependency handling. By fostering transparency and trust, we enhance the security posture of the Eclipse ecosystem. Our initiatives equip contributors with tools and knowledge for effective open-source security, including vulnerability reporting, project support, repository best practices, developer training, self-service resources, and advocacy.

Software Bills of Materials (SBOMs) are increasingly important in open source ecosystems since they help project track their intellectual property contributions and use third-party content. This, in particular, enables projects to monitor vulnerabilities in their third-party dependencies properly. The Eclipse Foundation requires its projects to maintain a software bill of materials. OpenChain (ISO/IEC 5230:2020) is an important standard in that space. The standard defines the key requirements of a quality open source license compliance program. The Eclipse Foundation IP Due Diligence Process is self-certified as OpenChain compliant. Eclipse projects following the Eclipse Foundation Development Process and Intellectual Property Due Diligence Process properly are regarded as OpenChain conformant.

You can learn more about our approach to security here: https://www.eclipse.org/security/

Moreover, the Eclipse project handbook explains how our projects handle security vulnerabilities in detail. 

The Microsoft URL you refer to is still mostly valid. The ThreadX project team is working on a new version reflecting ThreadX's transition to the Eclipse Foundation. 

Express Logic achieved Common Criteria certification on the 5.x codebase unless I am mistaken. However, I cannot provide information about it since Microsoft's contribution only included ThreadX v6.

Likewise, we do not have detailed information about the processes Microsoft used to achieve security certifications for Azure RTOS. That said, static analysis was definitely performed as the code complies with all "required" and "mandatory" rules of MISRA-C:2004 and MISRA C:2012. Naturally, this is a practice we intend to continue. Eclipse Foundation staff is currently evaluating tools to perform this task to supplement open source options we currently leverage. 

For the time being, our focus is on safety certifications and related processes. However, we intend to publish our set of secure coding practices and companion security process at some point. We have plans to pursue security certifications in the future but will focus on safety certification for the 6.4.x series first. When that happens, we will naturally share all the relevant details along with the report from the security audit. 

I hope this helps. 

Best Regards,

Frédéric DESBIENS

Project Lead | Eclipse ThreadX  

Senior Manager — Embedded and IoT | Eclipse Foundation

Mastodon: @fdesbiens@xxxxxxxxxxxxxxxxxxxxx

Eclipse Foundation: The Community for Open Innovation and Collaboration

On Thu, 5 Dec 2024 at 01:27, Yoji Sato via threadx <threadx@xxxxxxxxxxx> wrote:

Dear Eclipse ThreadX administrator,

I would like to know more about ThreadX's cybersecurity response. Could you please provide me with some information?

1. Are there any documents you can provide regarding the Eclipse ThreadX usage environment (security context, etc.) and defense-in-depth strategy?

2. There is a Microsoft website at the following URL that seems to have information related to the above, but is this information still valid?
    https://github.com/MicrosoftDocs/azure-docs/blob/4bfd62a9cd9282db996dd7dbc316faeace2335d7/articles/iot/concepts-eclipse-threadx-security-practices.md

3. ThreadX appears to have obtained Common Criteria EAL4+ certification, so could you provide more information such as the components and versions that are affected?

4. In addition to the above, could you provide any information that can confirm that secure coding was implemented to obtain the certification?

5. In addition to the above, would you be able to provide us with any information that can confirm that static code analysis, etc. was conducted in obtaining the certification?

6. In addition to the above, would you be able to provide us with any information that can confirm that reviews from a security perspective were conducted in obtaining the certification?

7. In addition to the above, would you be able to introduce any other security-related certifications you have received?

Best regards,
--
Yoji Sato
Grape Systems Inc.
_______________________________________________
threadx mailing list
threadx@xxxxxxxxxxx
To unsubscribe from this list, visit https://accounts.eclipse.org