Fedora Security SIG Update

The Fedora Security SIG (Special Interests Groups) is coming back with a new mission and new momentum!

Previously the Security SIG concentrated on security responses to vulnerabilities and answered questions from the Fedora community. While this service isn’t going away we will be adding two new functions: secure coding education and code audit services.

tx8o

Our secure coding mission is primarily educational. Writing software is really hard, writing secure software is even harder. There’s no way any software will ever be written without bugs, but we can try to avoid some of the most common mistakes. Our first steps are to document the common causes for security vulnerabilities in software and provide information  on preventing these vulnerabilities from happening. Red Hat has started to track a subset of security flaws using Common Weakness Enumaration (CWE) IDs, this needs to be expanded to cover Fedora security bugs.  We also have a secure coding guide, the Defensive Coding Guide, that is in the works, along with additional documentation.

For code audits, we’re really not sure where to start. We want to involve the community in this project, but honestly, we’re not totally sure what that means. In the short term we expect to just be more transparent about what sort of work Red Hat is doing in this area and try to make public whatever information we can about code audits; this can be sensitive obviously. If contributors have ideas, or want to help, please join the discussion. This project is expected to evolve substantially over the next few months.

As everyone knows, security is a big deal and keeps getting more important every day. Historically Fedora has done a fantastic job with security, one of the reasons the previous SIG never really took off is because there was no need, Fedora was mostly secure and didn’t need fixing. While Fedora is still secure, there is a lot of opportunity to help. The nature of security is changing very rapidly, technologies like mobile and cloud are changing everything. Rather than sit by and let this happen, we believe Fedora should be out in front, working with the community to ensure open source remains the most secure solutions available.

But don’t let what has been said so far become a limit on what can be done.  We’d love to start working providing OVAL data, security bulletins, consult when questions arise and more.  If you have ideas please join up and lets start working!

You can find the Security SIG on Freenode IRC in #fedora-security, or in their mailing list, and in the GIT repository.

Fedora Project community

1 Comment

  1. james

    Youre thus cool! I dont suppose Ive go through anything like this before. Consequently nice to get somebody with many original thoughts on this subject. realy thank you for starting up this upward. this website is a thing that is needed on the internet, someone with a little originality. valuable job for taking something new online!

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions