From nobody Sat Jan 18 09:06:16 2025 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YZrLd0MRGz5l54K for ; Sat, 18 Jan 2025 09:06:17 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YZrLc6dhyz49lM; Sat, 18 Jan 2025 09:06:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737191177; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=a6OmVlYpDoqhLP2seFbfQg3Zg9lRP4fAb5j9M/LkhLk=; b=S9UQ8Pro322w3/sZz2fj+vvpPZHx+7NlqbtJZb63KyFFv6GvcJk5i4kHVISvpE21KfJMwr GJBvpDeHkuKnranF8BOgji6By7Q3FjuvyKM21f+gEfQGaYgDHlLzDFLQxYP8uLX6ZWxoXn Je64uApCaFdMOg2VNpxrvzyJRlVepiau8/nW/7Wa3CSmkwidVSYtzC6lJZdcAWZw2vf9ez 3pcpjzfKPua/0tmzIbaqNKWd8ErRQ86ihDDFFsX3ZODl3h5CJhRbAnGHhRUjHBqiye1ar/ dbDgP/xelc6ITyKZcNLA0QfimyorHiCFIOmp0B/DdbLItLmNXhKxmEw+c7SaTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1737191177; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=a6OmVlYpDoqhLP2seFbfQg3Zg9lRP4fAb5j9M/LkhLk=; b=v+srvQ35fkbJTwU2wYfIXq5L1Yv84R2HGfQ8dXHBxDp6jxyp/PwwAId6lC09GWJt6bSb6o FG97Ux1IG8Ca1lURmiiTfdI2bm4UKo+mJgGOe7BzRtkoRlfnTUr5Qyy178Qo+Nt8q5Pn5d FmZo0PoR1F4AFT0WwAjhXEXHB1wz1kSgHd3IwWzRMG5+1IQVJRIyWPBm9mJCDovKW7HCG+ ffTRKIK+9YExjYFVvM0Iuhm+YuPHcP4UnYge9IzdIlpHQ1k9ojR6tydLLV5tjtbcsNpGq1 HionDeIXybsaeKLFBpCaRux0s0LOzSDLp6Qy6bNcc9PssRy415SmDWPQ/eYXmA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1737191177; a=rsa-sha256; cv=none; b=mlR4c5SvyHnDIexv5x+FMBj+1aiatihB5rJI4hvc1PO23PRVF4KN6pv4iis2/BUPLgzRie eXOb404SjNreiSeu7bl9XJ5hQsugJiLv+PCsBMfVfTfmx+She5C8qnBNGUHXz4tBdlhClm qk+aX9i+ubFMmr1iB84Kom77qXHHYFGVoPyF3Ex13yCgT9x+R2E4s/MjcLiv2DJBsz11gB 5eU7wSGiveT7uB/iW3nEAtTUKDrP5EwQ5Xq0BVr2sAMcEhzu6BMXiHicb+dWgJ3w7dOnA7 BtKUKwePlzSossoSFEfz9OFfzcRWrwp0PxM8KUya1vKlortT9K3o/0Ieszqm/Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YZrLc62FHzy1F; Sat, 18 Jan 2025 09:06:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50I96GOb006412; Sat, 18 Jan 2025 09:06:16 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50I96G58006409; Sat, 18 Jan 2025 09:06:16 GMT (envelope-from git) Date: Sat, 18 Jan 2025 09:06:16 GMT Message-Id: <202501180906.50I96G58006409@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Sergio Carlavilla Delgado Subject: git: 0dd207df41 - main - Website - Status: Add FF security audit report List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-doc-all@freebsd.org Sender: owner-dev-commits-doc-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: carlavilla X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0dd207df41392d0a22563f7689899e5e82433d94 Auto-Submitted: auto-generated The branch main has been updated by carlavilla: URL: https://cgit.FreeBSD.org/doc/commit/?id=0dd207df41392d0a22563f7689899e5e82433d94 commit 0dd207df41392d0a22563f7689899e5e82433d94 Author: Joseph Mingrone AuthorDate: 2025-01-18 09:04:58 +0000 Commit: Sergio Carlavilla Delgado CommitDate: 2025-01-18 09:04:58 +0000 Website - Status: Add FF security audit report Reviewed by: emaste@, Pau Amma , Chris Moerz Differential Revision: https://reviews.freebsd.org/D48447 --- .../foundation-security-audit.adoc | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/website/content/en/status/report-2024-10-2024-12/foundation-security-audit.adoc b/website/content/en/status/report-2024-10-2024-12/foundation-security-audit.adoc new file mode 100644 index 0000000000..8b59947248 --- /dev/null +++ b/website/content/en/status/report-2024-10-2024-12/foundation-security-audit.adoc @@ -0,0 +1,33 @@ +=== Security Audits + +Contact: Ed Maste + +Contact: Alice Sowerby + +The project began in Q2 of 2024 and was funded by Alpha Omega with a budget of $137,500, which was used over about six months and is now complete. +The focus was on conducting a code audit for key subsystems, bhyve and Capsicum, as well as performing a security audit of the development process. +The funds were used to hire a specialist offensive security firm to perform the code audit, to contract developers to address issues found, and for Foundation staff's work on both audits. + +Q4 update + +The project is complete. + +The Code Audit and link:https://freebsdfoundation.org/wp-content/uploads/2024/11/2024_Code_Audit_Capsicum_Bhyve_FreeBSD_Foundation.pdf[subsequent reports] were released after the related Security Advisories were published. + +The Process Audit is complete. +It was created by FreeBSD Foundation staff who ran an outreach exercise to gather information about the current FreeBSD development process. +The teams consulted were: Security Team, Source Management Team, Cluster Administrators, Release Engineering Team. + +Information was gathered through an online long-form survey which was structured around existing frameworks for analysing security in software development. +Teams were asked to describe current development processes and appraise the current security practices, as well as to make suggestions for improvements. + +The responses were collated and synthesised into the report by Foundation staff. +The report was reviewed for accuracy by the original respondents. + +The report will now be made available to the Security Team and other teams previously mentioned, as well as to the Foundation executive team. +This will be a useful tool in identifying areas for investment and prioritisation going forward as more security projects are planned and funded. + +The report is intended primarily for FreeBSD Project and Foundation planning purposes and as such there is no plan to promote it to an external audience. +Interested readers should contact the Security Team to request a copy of the report. + +To learn about the project, and to see historical monthly updates visit: link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD[]. + +Sponsor: link:https://alpha-omega.dev/[Alpha Omega Project]