Re: [iot-pmc] Consider using OWASP Dependency-Check to scan vulnerabilit

[Jens Reimann <jreimann@xxxxxxxxxx>]

Hi Benjamin,

this sounds like a great idea!

I am not really sure if a common parent POM really helps here.

I would like to see this effort in a bigger security effort though. Because I do think that especially for IoT, security is an important topic. Offering such a service is great. But actually encouraging projects to make use of it may be the harder part. And this scanner is only one part of this (but an important one). We also have the issue of default passwords, missing information about how to report security issues on project's homepages, etc.

So I do know that this may drift a bit off topic now, but aside from offering this service for our projects, I think it would be great to have something like an "Eclipse Security program", with a logo/shield/badge and some sort of reference list etc, where projects can join in if they follow some guidelines. One of those guidelines would be providing a security scan with this tool for each release (in a technical way the like best), stop using default passwords, etc ...

Cheers

Jens

On Wed, Jan 4, 2017 at 1:30 PM, Benjamin Cabé <benjamin@xxxxxxxxxxx> wrote:

Hi,

 

In the recent past, we’ve discussed how we could do better at 1/ identifying vulnerabilities in Eclipse IoT projects and 2/ report & track them better.

On the former, I think it would be interesting to investigate whether OWASP Dependency-Check [1] could be a useful tool to find known, publicly disclosed, vulnerabilities in the dependencies of our projects. I ran their command line tool against several projects this morning, and it is really easy to use.

The command line tool is very handy since you don’t need to instrument the existing code base, but the tool also comes in the form of a Maven plugin that should be pretty straightforward to setup. It has a Jenkins plugin as well.

 

What do you guys think?

 

FWIW, and thinking out loud here, but I am wondering if these things would make sense, on the longer run:

·         We could have the reports produced by OWASP (or any similar tool) consolidated somehow so as to make it easy for people to glance at the current state of things, security wise. This could be a link to the Security report of each project (maybe directly served by Hudson/Jenkins) in the PMI?

·         Would having a common parent POM for Eclipse IoT projects be helpful to make sure things like having the OWASP plugin pre-configured would be inherited “for free” by all Eclipse IoT projects? I guess this is more of a topic for the CBI, though.

 

Cheers,

Benjamin -

 

 

[1] https://www.owasp.org/index.php/OWASP_Dependency_Check

[2] https://wiki.eclipse.org/CBI

 

 

---

Benjamin Cabé – IoT Evangelist

Eclipse Foundation
+33 (0) 619196101
@kartben

 

_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc

--

Jens Reimann
Senior Software Engineer / EMEA ENG Middleware
Werner-von-Siemens-Ring 14
85630 Grasbrunn
Germany
phone: +49 89 2050 71286
_____________________________________________________________________________

Red Hat GmbH, www.de.redhat.com,
Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill