Security testing: need for a security policy, and a security-critical package process

Eric Christensen eric at christensenplace.us
Tue Dec 1 17:47:23 UTC 2009


On Mon, Nov 30, 2009 at 22:40, Hal Murray <hmurray at megapathdsl.net> wrote:

>
> gene at czarc.net said:
> ...
> > A written description of the security policy is a must!
> ...
>
> Is the idea of a single one-size-fits-all security policy reasonable?  I
> think Fedora has a broad range of users.
>

Probably not but there are some basics that should be implemented for
everyone.

>
> Security is a tradeoff.  If you make it impossible for the bad guys to get
> in, the good guys probably can't get any work done.  How secure do you need
> to be?  How much are you willing to pay for it?
>

How much are you willing to pay to clean up the aftermath?


>
> I'd much rather have an overview document that explains the likely attacks
> and potential solutions, and their costs and benefits.  Additionally, I
> think
> it's much easier to follow a policy if I understand the reasonaing behind
> it.
>

The Fedora Security Guide (found at docs.fedoraproject.org and in a friendly
repo near you) started out that way and has blossomed into that and a whole
lot more.  As always suggestions and patches are welcome.


> I think sample policy documents with descriptions of their target audience
> and checklists for how to implement them would be helpful.
>

+1


--Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/devel/attachments/20091201/e24f6c3b/attachment.html 


More information about the devel mailing list