-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pentest / Source Code Review #65
Comments
Example considerations (non exhaustive list):
|
We may want to document specific security objectives. As you stated, to me there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server. I also added an "audit log" to the server for a white team to review, which records all of the (remote) operator's commands that relies on this boundary. |
Totally agree with this. Also, I don't know the status for other projects, but I think putting detailed GitHub issues with the security label could be enough for the reporting part. |
I'd be happy to help in this effort, but I'll need to tackle some other PRs to familiarize myself with the codebase. If I don't circle back to this in a couple of weeks, ping me. |
@altf4 - If R&D wants to chip in :) |
Coverity offers free scan for OSS projects, maybe we should try. |
From their main page:
|
Sorry golang is aviable in 2019.06 but the scan is still in the 2019.03, maybe in a few months they will upgrade to 2019.06. |
Get someone other than myself and Ronan to review the code.
The text was updated successfully, but these errors were encountered: