Proposal: Security show & tell sessions

Joseph Reynolds joseph-reynolds at
Wed Sep 12 00:49:38 AEST 2018

I am proposing a series of security show & tell sessions. Each week's 
session would be focused on a single area such as bmcweb, using LDAP, or 
secure code update and would bring together developers and security pros 
to talk about that area's security considerations. I hope to distill 
baseline documentation from each discussion.

The discussion I have in mind is structured for a security review.  It 
begins by explaining the area to a software engineer new to the area: 
what the area does, where the docs are, the main sets of interfaces, 
etc.  That helps to make implicit knowledge explicit.  Then we talk 
about interfaces,especially those that are interesting to security.  
That helps provide a shared context to discuss assets, threats, and 
security controls.  The discussion is over at the end of the hour; we 
can do followup sessions later.

The cost to development leaders is half a day (for prep, discussion, and 
review) for each area. The benefits to the project include a security 
review of each area, with documentation usable by new developers, to 
encourage peer review, and for security professionals as a starting 
point for more thorough analysis such as here:

I plan to discuss details of the proposal in the OpenBMC Security 
Working Group meeting (agenda: 
The meeting is Wednesday 2018-09-12 at 10 PDT (noon CDT). Access 
information for the meeting is here:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openbmc mailing list