Security testing: need for a security policy, and a security-critical package process
eric at christensenplace.us
Tue Dec 1 17:47:23 UTC 2009
On Mon, Nov 30, 2009 at 22:40, Hal Murray <hmurray at megapathdsl.net> wrote:
> gene at czarc.net said:
> > A written description of the security policy is a must!
> Is the idea of a single one-size-fits-all security policy reasonable? I
> think Fedora has a broad range of users.
Probably not but there are some basics that should be implemented for
> Security is a tradeoff. If you make it impossible for the bad guys to get
> in, the good guys probably can't get any work done. How secure do you need
> to be? How much are you willing to pay for it?
How much are you willing to pay to clean up the aftermath?
> I'd much rather have an overview document that explains the likely attacks
> and potential solutions, and their costs and benefits. Additionally, I
> it's much easier to follow a policy if I understand the reasonaing behind
The Fedora Security Guide (found at docs.fedoraproject.org and in a friendly
repo near you) started out that way and has blossomed into that and a whole
lot more. As always suggestions and patches are welcome.
> I think sample policy documents with descriptions of their target audience
> and checklists for how to implement them would be helpful.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the fedora-devel-list