Public security scan tools

krtaylor kurt.r.taylor at gmail.com
Sat May 2 11:01:50 AEST 2020


On 4/30/20 3:28 PM, Joseph Reynolds wrote:
> On 4/30/20 3:05 PM, Joseph Reynolds wrote:
>> On 4/28/20 11:12 AM, Joseph Reynolds wrote:
>>> This is a reminder of the OpenBMC Security Working Group meeting 
>>> scheduled for this Wednesday April 29 at 10:00am PDT.
>>
> ...snip...
>>>
>> Item 8 added during the meeting:
>> 8. How do we run dynamic scan tools that are privately licensed and 
>> the output of which is copyrighted which means it cannot be shared 
>> with the OpenBMC community?
>> We shared our current practices which does allow pushing the fixes 
>> back into the project.  TODO: Joseph will document this practice and 
>> add it to the security working group wiki.
>> The we discussed if we can use tools because we are a Linux function 
>> project.   TODO: Joseph to followup with Kurt.
>>
>> - Joseph
> 
> Kurt (as OpenBMC Community Manager),
> 
> Does being a Linux Foundation Project help?  Can we get access to 
> security scan tools that normally require a license to use?
> See 
> https://github.com/openbmc/openbmc/wiki/Security-working-group#using-dynamic-security-scan-tools 

Next time, please address me specifically on the email, it is purely 
coincidence that I actually saw this message  :)

No, we do not automatically get access to any LF services except what is 
already called out in our charter. :-( It never hurts to ask, maybe it 
will be free?

If not, I would recommend that the individual companies that use these 
services as a part of their product testing, would hopefully push any 
security fixes upstream.

  - Kurt Taylor (krtaylor)


> Is there some way we can open up the process of dynamic scan testing to 
> the community?  What are the best practices?
> 
> - Joseph
> 



More information about the openbmc mailing list