Fedora Security SIG Update

Zan fedora at zaniyah.org
Tue Jul 9 19:51:27 UTC 2013 

On 09/07/13 14:43,, Tristan Santore wrote:
> On 09/07/13 14:33, Eric H. Christensen wrote:
>> The Fedora Security SIG is coming back with a new mission and new
>> momentum. Previously the Security SIG concentrated on security
>> responses to vulnerabilities and answered questions from the Fedora
>> community. While this service isn't going away we will be adding
>> two new functions: secure coding education and code audit
>> services.
>>
>> Our secure coding mission is primarily educational. Writing
>> software is really hard, writing secure software is even harder.
>> There's no way any software will ever be written without bugs, but
>> we can try to avoid some of the most common mistakes. Our first
>> steps are to document the common causes for security
>> vulnerabilities in software and provide information  on preventing
>> these vulnerabilities from happening. Red Hat has started to track
>> a subset of security flaws using Common Weakness Enumaration (CWE)
>> IDs, this needs to be expanded to cover Fedora security bugs.  We
>> also have a secure coding guide, the Defensive Coding Guide[0],
>> that is in the works, along with additional documentation.
>>
>> For code audits, we're really not sure where to start. We want to
>> involve the community in this project, but honestly, we're not
>> totally sure what that means. In the short term we expect to just
>> be more transparent about what sort of work Red Hat is doing in
>> this area and try to make public whatever information we can about
>> code audits; this can be sensitive obviously. If contributors have
>> ideas, or want to help, please join the discussion. This project is
>> expected to evolve substantially over the next few months.
>>
>> As everyone knows, security is a big deal and keeps getting more
>> important every day. Historically Fedora has done a fantastic job
>> with security, one of the reasons the previous SIG never really
>> took off is because there was no need, Fedora was mostly secure and
>> didn't need fixing. While Fedora ils still secure, there is a lot
>> of opportunity to help. The nature of security is changing very
>> rapidly, technologies like mobile and cloud are changing
>> everything. Rather than sit by and let this happen, we believe
>> Fedora should be out in front, working with the community to ensure
>> open source remains the most secure solutions available.
>>
>> But don't let what has been said so far become a limit on what can
>> be done.  I'd love to start working providing OVAL data, security
>> bulletins, consult when questions arise and more.  If you have
>> ideas please join up and lets start working!
>>
>> You can find us on Freenode IRC in #fedora-security, on our mailing
>> list[1], and in our GIT repository[2].
>>
>> We look forward to your help.
>>
>> [0]
>> https://docs.fedoraproject.org/en-US/Fedora_Security_Team//html/Defensive_Coding/index.html
>>
>>
> [1] https://lists.fedoraproject.org/mailman/listinfo/security
>> [2] https://fedorahosted.org/secure-coding/
>>
>> -- Eric
>>
>> -------------------------------------------------- Eric "Sparks"
>> Christensen Fedora Project - Red Hat
>>
>> sparks at redhat.com - sparks at fedoraproject.org 097C 82C3 52DF C64A
>> 50C2  E3A3 8076 ABDE 024B B3D1 
>> -------------------------------------------------- -- security
>> mailing list security at lists.fedoraproject.org 
>> https://admin.fedoraproject.org/mailman/listinfo/security
>>
> Eric,
>
> brilliant idea, especially the secure coding education. There needs to
> be better guidance on problems, with real examples of code that are
> wrong, how one can exploit the flaw and what the correct way is to
> code something to prevent it from being exploitable.
> This should also include examples of proper logging and graceful
> shutdown, versus crashing.
>
> Also, there should be examples for c/c++, python,php, ruby, or
> whatever else, makes everyone's boats float.

OWASP has these on their site already.  Perhaps we just need to point
people in the right direction?

> Sadly, Universities just seem to teach students basics, with no
> interest in doing it right. This is an appalling state of affairs for
> everyone in industry/business, consumers and government.

There is plenty of interest in doing it right.  The trouble is finding
people with the expertise who want and have time to teach it, and
fitting it in.  Generally there is a great desire to pack far too much
into a 3 year undergraduate year and not enough time to teach it, and
you also have to hope that the students pay attention.  In my experience
they tend to forget things that don't interest them right now, and
programming defensively is a difficult subject to make exciting.

> Maybe adding advice on securing services should also be covered.

This would be helpful.  I'm not sure if we have something like this
already, but if not, then I have found the idea of the Gentoo security
handbook to be a good one that perhaps we could be inspired by.

>
> Also, it would be nice to see more activity on the security list and
> the channel.
>
> Great idea!
>
> Thank you,
>
> Tristan
>

Z.

More information about the security mailing list