Re: [mosquitto-dev] Security audit for Eclipse Mosquitto

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] Security audit for Eclipse Mosquitto

From: Roger Light <roger@xxxxxxxxxx>
Date: Wed, 21 Sep 2022 22:23:45 +0100
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Terry,

Thanks for your ideas, I've added them to my list to discuss tomorrow.

Regards,

Roger


On Wed, 21 Sept 2022 at 22:19, <terryatsnort@xxxxxxxxxxx> wrote:
>
> Hi Roger and Greg,
>
> Thanks for the information.
>
> Based on other reports from OSTIF, I believe that they perform the following tasks for a general project:
>
> source code review
>
> Statice code analyzer is used
>
> Build process review
> installation
>
> checking documents and default configuration
>
> Threat modeling
> pen testing
>
> With my very limited understanding of Mosquitto, it might be useful to ask OSTIF for the following items at this stage:
>
> manual source code review
> Threat modeling
>
> certificate/private key management on Windows platform
>
> Installation documents and default configuration
> Pen testing
> Dependency of OpenSSL
> How could we minimize the need to follow up the frequent update from OpenSSL
>
> Just my two cents.
>
> Thanks and Regards,
> Terry
>
> ________________________________
> From: mosquitto-dev <mosquitto-dev-bounces@xxxxxxxxxxx> on behalf of Roger Light <roger@xxxxxxxxxx>
> Sent: Thursday, September 22, 2022 1:30 AM
> To: Greg Troxel <gdt@xxxxxxxxxx>
> Cc: mosquitto-dev eclipse <mosquitto-dev@xxxxxxxxxxx>
> Subject: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
>
> Hi Greg,
>
> > * Security of the build pipeline
>
> Is this about a specific CI setup, or about the scripts assuming they
> are run by end users?
>
>
> That entire list was suggestions made by the Eclipse Security team, nothing more. Building up release pipelines is something that I'm working on slowly in the background, but there's nothing on the project side that would merit an audit at the moment.
>
>
> > * Search for use-after-free and/or buffer overflow
> > * Usage of OpenSSL/cJSON/c-ares
>
> I agree that OpenSSL usage is a reasonable thing to look at.
>
> I would think that an organization that does audits would be able to run
> their automated tools more or less en masse and then present results,
> which are perhaps overly verbose and too false-positivy, and then spend
> labor hours on figuring out what matters.
>
>
> The methodology for the OSTIF audits is to focus on a specific area of interest to look at in depth, rather than apply a broad brush approach as you describe. That's why I'm interested in opinions on what the community think is important in scope.
>
> Regards,
>
> Roger
>
>

References:
- [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Roger Light
- Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Greg Troxel
- Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: Roger Light
- Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
  - From: terryatsnort

Prev by Date: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Next by Date: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Previous by thread: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Next by thread: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto
Index(es):
- Date
- Thread

Breadcrumbs