-----BEGIN PGP SIGNED MESSAGE-----
The Fedora Security SIG is coming back with a new mission and new momentum. Previously the
Security SIG concentrated on security responses to vulnerabilities and answered questions
from the Fedora community. While this service isn't going away we will be adding two
new functions: secure coding education and code audit services.
Our secure coding mission is primarily educational. Writing software is really hard,
writing secure software is even harder. There's no way any software will ever be
written without bugs, but we can try to avoid some of the most common mistakes. Our first
steps are to document the common causes for security vulnerabilities in software and
provide information on preventing these vulnerabilities from happening. Red Hat has
started to track a subset of security flaws using Common Weakness Enumaration (CWE) IDs,
this needs to be expanded to cover Fedora security bugs. We also have a secure coding
guide, the Defensive Coding Guide, that is in the works, along with additional
For code audits, we're really not sure where to start. We want to involve the
community in this project, but honestly, we're not totally sure what that means. In
the short term we expect to just be more transparent about what sort of work Red Hat is
doing in this area and try to make public whatever information we can about code audits;
this can be sensitive obviously. If contributors have ideas, or want to help, please join
the discussion. This project is expected to evolve substantially over the next few
As everyone knows, security is a big deal and keeps getting more important every day.
Historically Fedora has done a fantastic job with security, one of the reasons the
previous SIG never really took off is because there was no need, Fedora was mostly secure
and didn't need fixing. While Fedora ils still secure, there is a lot of opportunity
to help. The nature of security is changing very rapidly, technologies like mobile and
cloud are changing everything. Rather than sit by and let this happen, we believe Fedora
should be out in front, working with the community to ensure open source remains the most
secure solutions available.
But don't let what has been said so far become a limit on what can be done. I'd
love to start working providing OVAL data, security bulletins, consult when questions
arise and more. If you have ideas please join up and lets start working!
You can find us on Freenode IRC in #fedora-security, on our mailing list, and in our
We look forward to your help.
- -- Eric
Eric "Sparks" Christensen
Fedora Project - Red Hat
sparks(a)redhat.com - sparks(a)fedoraproject.org
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
-----END PGP SIGNATURE-----