| Re: [mosquitto-dev] Security audit for Eclipse Mosquitto |
|
Thank you for the questions, Greg.
I embedded my thought in the email below.
From: Greg Troxel Sent: Thursday, September 22, 2022 8:34 AM To: terryatsnort@xxxxxxxxxxx Cc: Roger Light; General development discussions for the mosquitto project Subject: Re: [mosquitto-dev] Security audit for Eclipse Mosquitto <terryatsnort@xxxxxxxxxxx> writes: > Based on other reports from OSTIF, I believe that they perform the following tasks for a general project: > > * source code review > * Statice code analyzer is used > * Build process review > * installation > * checking documents and default configuration > * Threat modeling > * pen testing Sounds entirely reasonable. > With my very limited understanding of Mosquitto, it might be useful to ask OSTIF for the following items at this stage: > > 1. manual source code review > 2. Threat modeling > * certificate/private key management on Windows platform Why do you specifically mention Windows? This is an open source project and I'd therefore expect that if anything, work would lean to open source operating systems (GNU/Linux, *BSD, illumos). But also, I'd expect most serious deployments to be on POSIXy systems -- but then I am often surprised.... [Terry] Two reasons:
> 3. Installation documents and default configuration > 4. Pen testing > 5. Dependency of OpenSSL > How could we minimize the need to follow up the frequent update from OpenSSL Do you mean the every few years need to change the code to keep up with API changes? Or are you thinking of mosquitto as producing binary releases, but
somehow statically linking OpenSSL, and therefore a perceived need to regenerate them everytime there is a patch-level OpenSSL release? [Terry]
this is exactly what I thought. E.g., these days, a customer using a product would often scan the application by themselves, then they would like to know what to do when a new OpenSSL CVE is reported publicly:
Hope this makes sense.
Or do you mean something else? |