Open Source Security

From Google Summer of Code Mentor Wiki
Jump to: navigation, search

Open Source Security:

  • Reducing privledge on all architectures
    • Windows
    • Mac
  • Paging secrets to disk
  • Learning/telling about security problemms (PR?)
    • reporting/broadcasting security problems
      • public disclosure
      • do blackhats really know about it before the news spreads?
    • releasing the update
      • PGP signing the release
    • getting people to update
      • package management
    • PR for zero day
      • more security holes get more press which forces more updates
  • Code hardening/best practices
    • code/peer review
    • language differences
    • static analysis/dynamic analysis tools
      • coverity (C, C++, Java, future-C#)
      • review board
    • repositories (security, best practices)
      • git-branches
      • subversion repos
      • source control ACLs?
      • dragonfly
      • checking commits for optimized code before merging back to main
  • Bootstrapping trust/keyring management
  • Combining services and credentials
  • Secure/prompt updates/package management
    • option for automated updates
    • email update
    • usability ease
    • back-porting to a current stable version
  • Upstream versus packages: openssl, rng...
    • do vendors establish relationships with Linux distros?
  • Getting/distribute good entropy (VMs, embedded)
    • don't do entropy on install phase
    • virtual device in the VM that monitors
  • VMs
Retrieved from "http://gsoc-wiki.osuosl.org/index.php/Open_Source_Security"
Personal tools