Some updates on the sage notebook security review project I'm working on: First threat model for the development process:
The model I created might apply to other open source applications or systems, or even not purely open source ones, as it is focused on the development process, code changes / contributions, and distribution of code and packages. There isn't anything radically new or that people weren't fully aware of before, but I think it does help highlight some potential threats, even in the existing development process which is fairly robust. From what I picked up at the Sage Days 16 conference and talking to Martin Albrecht and William Stein, every bit of code must get reviewed and 'earn' its way into the codebase. However, I think the threat model shows there are still ways of bypassing this process (e.g. faking positive reviews, modifying code or Trac records after review etc). I'm not entirely sure how feasible or likely these threats, but I think they are still valid. They probably won't rate very high on the list of priorities, but worth capturing. The model is based on the Microsoft SDL (Security Development Lifecycle) methodology, itself drawing from other methodologies like the one in the Threat Modeling book (again by MS press). The model is based around a Data Flow Diagram (DFD), which lists the main components and the flow of information between them: e.g. People, processes, storage, data links. Whilst my initial 'gut feeling' was that Microsoft isn't exactly the best source for information when it comes to threat modeling, particularly for open source systems, I have to say that most of it makes sense, and seems to apply. It's not perfect, but seems like a good way to go through a checklist of items and think about the threats that may apply to each. It is built around Data Flows (and there's a tool which rather neatly allows you to draw the Data Flows and then use it to list threats). Please find a link to the threat model report generated by the MS tool (and then converted fairly crudely to LaTeX). I will carry on working and trying to produce a threat model for the core elements, i.e. sage notebook and the usage (as opposed to dev) processes. This is still work in progress obviously. Please have a look at the PDF for more detailed information. It can be downloaded from http://www.gingerlime.com/sageosThreatModel.pdf I'm assuming some of the information I captured is inaccurate, wrong, irrelevant etc. Hopefully some issues will be highlighted and I'll update the model. Any other feedback, ideas, suggestions will be greatly appreciated. Cheers Yoav --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to sage-devel-unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://www.sagemath.org -~----------~----~----~----~------~----~------~--~---
