Mercurial Security Review

Augie Fackler raf at durin42.com
Tue Dec 16 23:08:22 UTC 2014


On Dec 16, 2014, at 2:57 PM, Mcadams, Philip W <philip.w.mcadams at intel.com> wrote:

> Here at our organization Intel we are required to perform a security review on the Mercurial application. We have been requested to reach out to your team to get answers to the following questions and roll them back to IT. Can you please answer the following questions?:

Mercurial is open-source software, so I'm not sure what you're expecting here. Certainly Intel is familiar with OSS and how it works?

>  
> Are you following a Security Development Lifecycle (SDL) Process?  Please provide a description of the SDL process followed.
> Are application security reviews incorporated into your SDL process?  Please provide a description of the application security review process followed.
> Do you conduct security reviews? If so, What?
> Do you use any tools to test for vulnerabilities?
> Static Code Analysis tools
> Dynamic Code Analysis Tools
> Penetration testing tools
> Can you provide the results of these vulnerability reviews performed?
> Have you closed on vulnerabilities found for the subject application using these application security reviews?
> Are you committed to perform regular security reviews of the application and resolving vulnerabilities identified?
>  
> Thank you.
>  
> Philip McAdams
> Software Configuration Management Engineer
> NSG ISE Test Engineering & SCM
> Desk: (916) 377-6156 Cell: (678) 770-3176 Pole: FM3-1-D7
>  
> _______________________________________________
> Mercurial mailing list
> Mercurial at selenic.com
> http://selenic.com/mailman/listinfo/mercurial

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20141216/f0e1cd82/attachment.asc>


More information about the Mercurial mailing list