====This is WORK IN PROGRESS====
Proposed guidelines
- An issue that is considered a security issue must be tracked on JIRA with the label set to "security" and flag set to "important".
- The ticket must include information about the source of the finding and a description of the vulnerability.
- An issue can be marked as a security issue at the time of creation of the ticket or any time thereafter as soon as such a determination is made.
- The fix for an identified security issue will be applied to all existing branches, including all prior supported releases.
- Issues may have two levels of security (INFRA-14182). Level 2 will be used for critical issues for which the exploit mechanism is best not publicized while a fix is in progress.
- 1: Viewable by all, editable only by Committers and specific additional users
- 2: Viewable and editable only by Committers and specific additional users.
- Once fixed, all issues should be set to level 1.
How to determine security issues
- Run Static Code Analysis Tool (Coverity) scans on every release to determine issues such as buffer overflow, memory corruptions, null pointer dereferences etc.
- Use additional tools that scan for dependencies and find vulnerabilities using public vulnerability databases such as the NIST National Vulnerability Database (NVD) as well as its own database.
- Penetration tests (white box, black box, physical) undertaken as part of a security audit
Best Practices
- https://scriptingxss.gitbooks.io/embedded-appsec-best-practices//
- https://www.owasp.org/index.php/C-Based_Toolchain_Hardening
- https://www.owasp.org/index.php/OWASP_Embedded_Application_Security