Public security scan tools (was: Security Working Group)

Joseph Reynolds jrey at linux.ibm.com
Fri May 1 06:28:44 AEST 2020


On 4/30/20 3:05 PM, Joseph Reynolds wrote:
> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting 
>> scheduled for this Wednesday April 29 at 10:00am PDT.
>
...snip...
>>
> Item 8 added during the meeting:
> 8. How do we run dynamic scan tools that are privately licensed and 
> the output of which is copyrighted which means it cannot be shared 
> with the OpenBMC community?
> We shared our current practices which does allow pushing the fixes 
> back into the project.  TODO: Joseph will document this practice and 
> add it to the security working group wiki.
> The we discussed if we can use tools because we are a Linux function 
> project.   TODO: Joseph to followup with Kurt.
>
> - Joseph

Kurt (as OpenBMC Community Manager),

Does being a Linux Foundation Project help?  Can we get access to 
security scan tools that normally require a license to use?
See 
https://github.com/openbmc/openbmc/wiki/Security-working-group#using-dynamic-security-scan-tools

Is there some way we can open up the process of dynamic scan testing to 
the community?  What are the best practices?

- Joseph



More information about the openbmc mailing list