Public security scan tools
krtaylor
kurt.r.taylor at gmail.com
Sat May 2 11:01:50 AEST 2020
On 4/30/20 3:28 PM, Joseph Reynolds wrote:
> On 4/30/20 3:05 PM, Joseph Reynolds wrote:
>> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>>> This is a reminder of the OpenBMC Security Working Group meeting
>>> scheduled for this Wednesday April 29 at 10:00am PDT.
>>
> ...snip...
>>>
>> Item 8 added during the meeting:
>> 8. How do we run dynamic scan tools that are privately licensed and
>> the output of which is copyrighted which means it cannot be shared
>> with the OpenBMC community?
>> We shared our current practices which does allow pushing the fixes
>> back into the project. TODO: Joseph will document this practice and
>> add it to the security working group wiki.
>> The we discussed if we can use tools because we are a Linux function
>> project. TODO: Joseph to followup with Kurt.
>>
>> - Joseph
>
> Kurt (as OpenBMC Community Manager),
>
> Does being a Linux Foundation Project help? Can we get access to
> security scan tools that normally require a license to use?
> See
> https://github.com/openbmc/openbmc/wiki/Security-working-group#using-dynamic-security-scan-tools
Next time, please address me specifically on the email, it is purely
coincidence that I actually saw this message :)
No, we do not automatically get access to any LF services except what is
already called out in our charter. :-( It never hurts to ask, maybe it
will be free?
If not, I would recommend that the individual companies that use these
services as a part of their product testing, would hopefully push any
security fixes upstream.
- Kurt Taylor (krtaylor)
> Is there some way we can open up the process of dynamic scan testing to
> the community? What are the best practices?
>
> - Joseph
>
More information about the openbmc
mailing list