Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20130201141705.GA23051@openwall.com>
Date: Fri, 1 Feb 2013 18:17:06 +0400
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Cc: Corey Bryant <coreyb@...ux.vnet.ibm.com>,
	Kees Cook <keescook@...omium.org>,
	Anthony Liguori <aliguori@...ibm.com>,
	Frank Novak <fnovak@...ibm.com>,
	George Wilson <gcwilson@...ibm.com>,
	Joel Schopp <jschopp@...ux.vnet.ibm.com>,
	Kevin Wolf <kwolf@...hat.com>,
	Warren Grunbok II <wgrunbok@...t.ibm.com>
Subject: Re: Secure Open Source Project Guide

Corey, Kees, all -

Why don't we bring this to the oss-security mailing list?  I think this
topic is not in any way specific nor limited to the Linux kernel.  There
are ~10x more people on oss-security than on kernel-hardening, and this
topic is a better fit for oss-security than for kernel-hardening.  There
is a wiki for the oss-security group, where such content is welcome.
Anyone can register for an account and edit.

Info on the oss-security mailing list:

http://oss-security.openwall.org/wiki/mailing-lists/oss-security

Subscribe here:

http://oss-security.openwall.org/subscribe

(Of course, Kees and many others in here are already on oss-security as
well.  Not all, though.)

On Thu, Jan 31, 2013 at 04:10:03PM -0500, Corey Bryant wrote:
> We should probably start by gathering a list of ideas to include in the 
> guide.  Some initial ideas that come to mind are:
> 
> * Secure programming practices (Secure "Programming for Linux
>   and Unix HOWTO" is a good reference for Linux though probably
>   out of date)

CERT's Secure Coding resources are more current, but they're focused on
programming languages and I think they don't cover operating system
specific pitfalls (e.g., Linux netlink).

> * Performing secure code reviews and detecting common
>   vulnerabilities
> * Ensuring code is reviewed by trusted parties and proper patch
>   tagging is used
> * Signing of releases, pull requests, patches, commits, etc by
>   trusted parties
> * Removing vulnerabilities with automated tooling (Static/Dynamic
>   analysis, Fuzzing)

We have some relevant links here:

http://oss-security.openwall.org/wiki/

and more specifically:

http://oss-security.openwall.org/wiki/tools
http://oss-security.openwall.org/wiki/links
http://oss-security.openwall.org/wiki/code-reviews

More content (and better organization of content) on the oss-security
wiki is welcome - including on all topics you listed above.

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.