[zeromq-dev] Free security help from Google and Open Source Technology Improvement Fund, Inc
Amir Montazery
amir at ostif.org
Tue Nov 15 21:38:49 CET 2022
Thank you for the response Trevor. For the sake of this pilot, we're
focusing mainly on libzmq. We have some folks who are very well-versed in
C++ ready to go.
On Tue, Nov 15, 2022 at 1:31 PM Trevor Bernard <trevor.bernard at gmail.com>
wrote:
> Is this strictly for libzmq or can child projects like jeromq get some
> help as well?
>
> On Tue, Nov 15, 2022 at 1:07 PM Amir Montazery <amir at ostif.org> wrote:
>
>> Thank you to everyone who has helped so far! What we can concretely offer
>> is below under "What you can expect". We totally understand you maintainers
>> are busy so the process is designed to be easy for those who participate.
>> We also have a budget to compensate maintainers who help out directly (that
>> can go to a nonprofit of the project's choice as well).
>>
>> Our first team of security experts is ready to meet the week of December
>> 5th if you'd like to participate.
>>
>> p.s The OSTIF team plans to be in Brussels for fosdem so we hope to see
>> some of you there!
>>
>> Thank you and let me know who would like to participate.
>>
>> - Amir
>>
>>
>> What you can expect
>>
>> Here are what we’re going to do (and need your help with) in a nutshell:
>>
>> -
>>
>> We’ll Perform an Initial Assessment
>> -
>>
>> Meet with you to better understand and ask questions about your
>> package – its architecture, design choices, known issues, and so on
>> -
>>
>> Install Scorecard <https://github.com/ossf/scorecard#overview> if
>> you don’t already have it – this evaluates your environment against a set
>> of SDLC best practices (see https://securityscorecards.dev/ for
>> more info) – and identify opportunities to improve low-scoring checks
>> -
>>
>> Perform a quick code review, get your package to build, check for
>> quality and best practices
>> -
>>
>> Assess whether your package would benefit from fuzzing and is
>> compatible with our OSS-Fuzz <https://google.github.io/oss-fuzz/>
>> offering.
>> -
>>
>> Assess whether your package would benefit from SLSA
>> <https://slsa.dev/> and/or SBOM
>> <https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html>,
>> software supply chain integrity (SSCI) technologies (for example, do your
>> users commonly build from source or consume binaries that you build?)
>> -
>>
>> If Warranted, We’ll Proceed with an In-Depth Review
>> -
>>
>> Perform an targeted code review on your package to identify
>> security vulnerabilities or recommended defense-in-depth fixes
>> -
>>
>> If applicable, integrate your package with the OSS Fuzz offering
>> and tune it to achieve maximum coverage.
>> -
>>
>> Improve eligible Scorecard check scores
>> -
>>
>> Assist you with deploying SLSA and SBOM
>>
>> Here’s what we’ll ask you to do:
>>
>> -
>>
>> During the Initial Assessment
>> -
>>
>> Meet with us and our partners in a “kick-off” meeting where we’ll
>> ask you a number of questions about your package and how it works to build
>> a shared threat model and scope the review
>> -
>>
>> During Our In-Depth Review
>> -
>>
>> Assist us with onboarding your package to OSS-Fuzz if applicable,
>> and you’ll be compensated for doing so
>> -
>>
>> Assist us with improving the Scorecard checks we recommend, and
>> you’ll be compensated for each
>> -
>>
>> Assist us with implementing SLSA and SBOM, if applicable, and
>> you’ll be compensated for doing so
>> -
>>
>> After our In-Depth Review
>> -
>>
>> Review the security vulnerabilities we find (if any) and our
>> recommended defense-in-depth fixes (if any), and remediate each
>> vulnerability within a reasonable timeframe (we’ll work this out with you
>> when the time comes), and you’ll be compensated for each
>> -
>>
>> If applicable, produce a new build that includes all of the
>> improvements made during this process
>>
>>
>>
>>
>>
>>
>> On Mon, Oct 31, 2022 at 11:08 AM Amir Montazery <amir at ostif.org> wrote:
>>
>>> Awesome! Thank you for that Luca. Apologies for the lag, I was in
>>> Detroit last week for KubeCon meeting a number of projects we've done
>>> security engagements with and collecting feedback.
>>>
>>> I hope we can sync soon and discuss opportunities to help out with
>>> zeromq! Our org OSTIF (https://ostif.org/) has been advocating for
>>> providing free help to open source projects for almost 8 years now. We
>>> finally have some resources on our bench to help projects out with their
>>> security needs. I am finalizing what exactly that would look like in the
>>> next week!
>>>
>>> I'll have updates and resources for you soon. In the meantime feel free
>>> to reach out with any questions or feedback.
>>>
>>> Thank you,
>>> Amir
>>>
>>> On Wed, Oct 19, 2022 at 1:39 PM Luca Boccassi <luca.boccassi at gmail.com>
>>> wrote:
>>>
>>>> Thanks, existing fuzzers are the *_fuzzer.cpp files at:
>>>> https://github.com/zeromq/libzmq/tree/master/tests
>>>>
>>>> On Wed, 19 Oct 2022 at 16:04, Amir Montazery <amir at ostif.org> wrote:
>>>>
>>>>> Of course, that is understandable. Thank you all for maintaining such
>>>>> an important project despite your busy schedules! I hope we can find a way
>>>>> to help make your lives easier.
>>>>>
>>>>> What we can contribute is a security review by an experienced team to
>>>>> assess general design review; code quality, defensive programming, and best
>>>>> practices, as well as opportunities to improve fuzzing. Additional fuzzers
>>>>> can be built and the team can integrate the project to oss-fuzz for
>>>>> continuous monitoring of security issues. Based on our experience, when
>>>>> security teams have a line of contact with the project maintainers, they
>>>>> can be guided and better utilized to help.
>>>>>
>>>>> I'm fairly certain that we can provide new fuzzers/test cases and will
>>>>> get more specific details for you on that.
>>>>>
>>>>> Thank you!
>>>>> Amir
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Oct 18, 2022 at 3:26 PM Luca Boccassi <luca.boccassi at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Thanks for the offer, but let's continue via mail please, we are all
>>>>>> very busy as-is.
>>>>>>
>>>>>> What can you contribute, concretely? I have already set up fuzzing
>>>>>> some time ago. Can you provide new fuzzers/test cases? If so that would be
>>>>>> great, just send pull requests to the repository.
>>>>>>
>>>>>> On Wed, 12 Oct 2022 at 13:10, Amir Montazery <amir at ostif.org> wrote:
>>>>>>
>>>>>>> We can help with whatever the project needs. The intention is to
>>>>>>> connect the project maintainer(s)/contributor(s) with our security team
>>>>>>> (made up of security experts and Google Open Source Security engineers) to
>>>>>>> help where the project needs it most. We can help with bug fixes, security
>>>>>>> tooling i.e fuzzing and developing fuzzers for the project, CI/CD, and
>>>>>>> anything else that will help zeromq be more secure!
>>>>>>>
>>>>>>> Thankfully we have resources to help and are able to compensate
>>>>>>> maintainer(s) who participate in the engagement to show our gratitude for
>>>>>>> your time and efforts.
>>>>>>>
>>>>>>> I'd be happy to set up a quick introductory call with anyone
>>>>>>> interested in learning more.
>>>>>>>
>>>>>>> Thank you and have a great day!
>>>>>>> Amir
>>>>>>>
>>>>>>> On Tue, Oct 11, 2022 at 10:05 PM Luca Boccassi <
>>>>>>> luca.boccassi at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> What kind of support are you able to provide?
>>>>>>>>
>>>>>>>> On Tue, 11 Oct 2022 at 14:30, Amir Montazery <amir at ostif.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Yes, I meant zeromq. Thank you Arnaud! That is my mistake.
>>>>>>>>>
>>>>>>>>> That’s great news, we have teams ready to help. Would you be a
>>>>>>>>> good person to coordinate that with? If anyone else comes to mind to
>>>>>>>>> include please let me know!
>>>>>>>>>
>>>>>>>>> I would be happy to set up a quick call to meet and discuss how we
>>>>>>>>> can best be of service to the zeromq project.
>>>>>>>>>
>>>>>>>>> Thank you,
>>>>>>>>> Amir
>>>>>>>>>
>>>>>>>>> On Tue, Oct 11, 2022 at 1:22 PM Arnaud Loonstra <
>>>>>>>>> arnaud at sphaero.org> wrote:
>>>>>>>>>
>>>>>>>>>> Are you sure you are on the right list? This the zeromq list not
>>>>>>>>>> dnsmasq.
>>>>>>>>>>
>>>>>>>>>> We'd appreciate any help for sure!
>>>>>>>>>>
>>>>>>>>>> Rg,
>>>>>>>>>>
>>>>>>>>>> Arnaud
>>>>>>>>>>
>>>>>>>>>> On 07-10-2022 21:46, Amir Montazery wrote:
>>>>>>>>>> > Hello dnsmasq community! OSTIF would like to help improve your
>>>>>>>>>> security
>>>>>>>>>> > posture!
>>>>>>>>>> >
>>>>>>>>>> > I’m Amir from Open Source Technology Improvement Fund, Inc.
>>>>>>>>>> OSTIF
>>>>>>>>>> > <https://ostif.org/> is a nonprofit solely dedicated to
>>>>>>>>>> helping open
>>>>>>>>>> > source projects improve their security for free.
>>>>>>>>>> >
>>>>>>>>>> > We are working with a team of Google engineers and security
>>>>>>>>>> experts to
>>>>>>>>>> > help important open source projects like dnsmasq. This includes
>>>>>>>>>> helping
>>>>>>>>>> > improve testing, reviewing code, implementing more security
>>>>>>>>>> tools, and
>>>>>>>>>> > improving supply chain security.
>>>>>>>>>> >
>>>>>>>>>> > Additionally, we understand the time constraints that open
>>>>>>>>>> source
>>>>>>>>>> > contributors have, and would like to compensate contributors
>>>>>>>>>> for their
>>>>>>>>>> > time working with us.
>>>>>>>>>> >
>>>>>>>>>> > We would love to work with you! Please let me know who we
>>>>>>>>>> should be
>>>>>>>>>> > talking to and how we can help!
>>>>>>>>>> >
>>>>>>>>>> > Thank you in advance for your consideration!
>>>>>>>>>> >
>>>>>>>>>> > Best,
>>>>>>>>>> >
>>>>>>>>>> > Amir
>>>>>>>>>> >
>>>>>>>>>> >
>>>>>>>>>> > --
>>>>>>>>>> > *Amir Montazery*
>>>>>>>>>> > Managing Director
>>>>>>>>>> > Open Source Technology Improvement Fund
>>>>>>>>>> > https://ostif.org/ <https://ostif.org/>
>>>>>>>>>> > https://calendly.com/ostif <https://calendly.com/ostif>
>>>>>>>>>> >
>>>>>>>>>> >
>>>>>>>>>> > _______________________________________________
>>>>>>>>>> > zeromq-dev mailing list
>>>>>>>>>> > zeromq-dev at lists.zeromq.org
>>>>>>>>>> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>> _______________________________________________
>>>>>>>>>> zeromq-dev mailing list
>>>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> *Amir Montazery*
>>>>>>>>> Managing Director
>>>>>>>>> Open Source Technology Improvement Fund
>>>>>>>>> https://ostif.org/
>>>>>>>>> https://calendly.com/ostif
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> zeromq-dev mailing list
>>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> zeromq-dev mailing list
>>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Amir Montazery*
>>>>>>> Managing Director
>>>>>>> Open Source Technology Improvement Fund
>>>>>>> https://ostif.org/
>>>>>>> https://calendly.com/ostif
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> zeromq-dev mailing list
>>>>>>> zeromq-dev at lists.zeromq.org
>>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>>
>>>>>> _______________________________________________
>>>>>> zeromq-dev mailing list
>>>>>> zeromq-dev at lists.zeromq.org
>>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> *Amir Montazery*
>>>>> Managing Director
>>>>> Open Source Technology Improvement Fund
>>>>> https://ostif.org/
>>>>> https://calendly.com/ostif
>>>>>
>>>>> _______________________________________________
>>>>> zeromq-dev mailing list
>>>>> zeromq-dev at lists.zeromq.org
>>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>>
>>>> _______________________________________________
>>>> zeromq-dev mailing list
>>>> zeromq-dev at lists.zeromq.org
>>>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>>>
>>>
>>>
>>> --
>>> *Amir Montazery*
>>> Managing Director
>>> Open Source Technology Improvement Fund
>>> https://ostif.org/
>>> https://calendly.com/ostif
>>>
>>>
>>
>> --
>> *Amir Montazery*
>> Managing Director
>> Open Source Technology Improvement Fund
>> https://ostif.org/
>> https://calendly.com/ostif
>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
--
*Amir Montazery*
Managing Director
Open Source Technology Improvement Fund
https://ostif.org/
https://calendly.com/ostif
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20221115/9cc81b23/attachment.htm>
More information about the zeromq-dev
mailing list