Differences between revisions 2 and 3
Revision 2 as of 2007-03-10 15:09:19
Size: 2540
Comment:
Revision 3 as of 2009-03-16 03:30:32
Size: 2547
Editor: anonymous
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
As part of its QA process, Debian has developed some automatic checking tools to do an automatic review of Debian packages. These tools (lintian and linda) can be used locally by Debian maintainers and are also used in a [http://lintian.debian.org portal] so that all reports are public. As part of its QA process, Debian has developed some automatic checking tools to do an automatic review of Debian packages. These tools (lintian and linda) can be used locally by Debian maintainers and are also used in a [[http://lintian.debian.org|portal]] so that all reports are public.
Line 13: Line 13:
The [http://www.debian.org/security/audit/t Debian Security Audit Team] started over a year ago in an attempt to review the packages distributed by Debian (after establishing some [http://www.debian.org/security/audit/packages  priorities]) with some [http://www.debian.org/security/audit/tools security audit tools]. The [[http://www.debian.org/security/audit/t|Debian Security Audit Team]] started over a year ago in an attempt to review the packages distributed by Debian (after establishing some [[http://www.debian.org/security/audit/packages|priorities]]) with some [[http://www.debian.org/security/audit/tools|security audit tools]].

Automatic source code security review portal

  • Mentor: JavierFernandezSanguino

  • Summary: Portal to implement automatic security review of Debian distributed software

  • Required skills:

    • C programming (internals and tools)
    • PHP programming (frontend)

Description

As part of its QA process, Debian has developed some automatic checking tools to do an automatic review of Debian packages. These tools (lintian and linda) can be used locally by Debian maintainers and are also used in a portal so that all reports are public.

The Debian Security Audit Team started over a year ago in an attempt to review the packages distributed by Debian (after establishing some priorities) with some security audit tools.

In order to ease the security review process it is necessary to have those tools be run automatically, over all the archive, and, using some pre-defined metrics, detect the software that the audit teams needs to focus on. That way, security bugs would be detected and removed from vulnerable software before they were introduced in the "testing" distribution and, later, into the "stable" distribution. Reducing the number of vulnerabilities in released software would benefit our users (as their exposure when using the Debian distribution would be reduced) and would also help the project as this would eventually help reduce the workload of the Security Testing Team.

The goal of this project is to develop a source code security review service based on existing tools and a set of metrics in order to:

  • automatically generate and publish reports using these tools, which would be run through all the archive
  • generate a "security" score for the different packages available
  • show graphs representing the score evolution of both packages in the distribution and the distribution overall
  • detect which packages cannot be reviewed (using these tools) because of the way they are being packaged

This service could help:

  • Package maintainers and upstream authors, as they could use the published reports to review the software they are maintaining
  • The Security Audit Team, since it could focus on software that is highlighted as "more vulnerable" than other

The service should be implemented allowing for the introduction of new security audit tools, should they be made available.