Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 1 Feb 2013 18:17:06 +0400
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Cc: Corey Bryant <coreyb@...ux.vnet.ibm.com>,
	Kees Cook <keescook@...omium.org>,
	Anthony Liguori <aliguori@...ibm.com>,
	Frank Novak <fnovak@...ibm.com>,
	George Wilson <gcwilson@...ibm.com>,
	Joel Schopp <jschopp@...ux.vnet.ibm.com>,
	Kevin Wolf <kwolf@...hat.com>,
	Warren Grunbok II <wgrunbok@...t.ibm.com>
Subject: Re: Secure Open Source Project Guide

Corey, Kees, all -

Why don't we bring this to the oss-security mailing list?  I think this
topic is not in any way specific nor limited to the Linux kernel.  There
are ~10x more people on oss-security than on kernel-hardening, and this
topic is a better fit for oss-security than for kernel-hardening.  There
is a wiki for the oss-security group, where such content is welcome.
Anyone can register for an account and edit.

Info on the oss-security mailing list:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Subscribe here:

http://oss-security.openwall.org/subscribe

(Of course, Kees and many others in here are already on oss-security as
well.  Not all, though.)

On Thu, Jan 31, 2013 at 04:10:03PM -0500, Corey Bryant wrote:
> We should probably start by gathering a list of ideas to include in the 
> guide.  Some initial ideas that come to mind are:
> 
> * Secure programming practices (Secure "Programming for Linux
>   and Unix HOWTO" is a good reference for Linux though probably
>   out of date)

CERT's Secure Coding resources are more current, but they're focused on
programming languages and I think they don't cover operating system
specific pitfalls (e.g., Linux netlink).

> * Performing secure code reviews and detecting common
>   vulnerabilities
> * Ensuring code is reviewed by trusted parties and proper patch
>   tagging is used
> * Signing of releases, pull requests, patches, commits, etc by
>   trusted parties
> * Removing vulnerabilities with automated tooling (Static/Dynamic
>   analysis, Fuzzing)

We have some relevant links here:

http://oss-security.openwall.org/wiki/

and more specifically:

http://oss-security.openwall.org/wiki/tools
http://oss-security.openwall.org/wiki/links
http://oss-security.openwall.org/wiki/code-reviews

More content (and better organization of content) on the oss-security
wiki is welcome - including on all topics you listed above.

Thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.