Proposal: Security show & tell sessions
Joseph Reynolds
joseph-reynolds at charter.net
Wed Sep 12 00:49:38 AEST 2018
I am proposing a series of security show & tell sessions. Each week's
session would be focused on a single area such as bmcweb, using LDAP, or
secure code update and would bring together developers and security pros
to talk about that area's security considerations. I hope to distill
baseline documentation from each discussion.
The discussion I have in mind is structured for a security review. It
begins by explaining the area to a software engineer new to the area:
what the area does, where the docs are, the main sets of interfaces,
etc. That helps to make implicit knowledge explicit. Then we talk
about interfaces,especially those that are interesting to security.
That helps provide a shared context to discuss assets, threats, and
security controls. The discussion is over at the end of the hour; we
can do followup sessions later.
The cost to development leaders is half a day (for prep, discussion, and
review) for each area. The benefits to the project include a security
review of each area, with documentation usable by new developers, to
encourage peer review, and for security professionals as a starting
point for more thorough analysis such as here:
https://en.wikipedia.org/wiki/Information_security.
I plan to discuss details of the proposal in the OpenBMC Security
Working Group meeting (agenda:
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI).
The meeting is Wednesday 2018-09-12 at 10 PDT (noon CDT). Access
information for the meeting is here:
https://github.com/openbmc/openbmc/wiki/Security-working-group.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20180911/19e0aa72/attachment.html>
More information about the openbmc
mailing list