Re: [meta-xilinx] addressing security in Yocto

Re: [meta-xilinx] addressing security in Yocto

[Mark Hatle]

Security requires a holistic approach.  This can be divided into design and
defect response.

The design aspect of this is left to the implementer of the device.  However, as
a project we need to do a better job at defining defaults, and looking for items
like SCAP that can be used to help people design/implement more secure devices.

On the defect (security) response side, work is in progress on this.

Currently there is a script that will pull down CVE information and attempt to
determine if a recipe may be affected based on specific CPE information.  But in
the end, this is a reactive approach that relies on other people to do initial
triage and assign the CPEs (and other information).

This means we really need more proactive, response approach.  The tooling for
this is nearly ready to go.  We have the security response tool (which is part
of the Yocto Project) designed to help us perform triage, and a small group of
us has been working on a process around to perform the triage.

In the near future, I will be trying to post to the yocto-security list triage
status and other issues we find.  When I begin posting, I will be inviting
people to help contribute to our triage, and response process.  (Currently we're
running proof of concept triage behavior with a small group of people.)

--Mark

On 1/13/20 11:13 AM, Minelik, Ben [US] (MS) wrote:
> Good Morning,
> 
>  
> 
> I was wondering if there is a more holistic way we can address security in Yocto
> where we don’t have to create scripts for each vulnerability?  Is there anything
> in Yocto meta-security and buck-security that can assist with the hardening of
> Yocto?
> 
>  
> 
>  
> 
>  
> 
> Thank you,
> 
>  
> 
> Ben
> 
> Cybersecurity Engineer
> 
> 720-975-5665
> 
> 
> 
>