All,
I've been making some notes starting with the Tomcat Security Day in
Bratislava and continuing through the TTX @ Denver as well as
presentations by Jarek and others about security posture, incident
response, etc.
I'd like to be able to offer my own expertise and experience to any
project interested in improving their security posture. These are in
order roughly by LOE from easiest to hardest.
• Canned responses to issues (?)
• security.txt
• Dedicated security team ([email protected])
◦ Reduce security@ and private@ where appropriate/possible
• Create and document detailed incident response
◦ Including key contacts and contact information
• Disable inherently insecure features
• Documented release process
• Documented security / threat model(s)
• Reproducible builds
• Automated release process
• SBOMs
• Harden CI workflows (?)
The (?) items came directly from Jarek's talk yesterday and I dind't
have time to discuss with him what exactly they meant. "Canned
responses" seemed straightforward to me but "Harden CI workflows" was
less clear.
Comments are certainly appreciated.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
