Mercurial Security Review

Mcadams, Philip W philip.w.mcadams at intel.com
Tue Dec 16 23:57:35 UTC 2014


Augie,

To provide some scope we work in a business group called NSG within Intel. We utilize Mercurial to manage our Source Code and our Intel IT group informed us that they are performing a security audit.  These questions were provided to our group by IT as they have informed us of a security audit that is currently taking place.

Intel is familiar with OSS. We were provided the questions outlined in case we use a third party software tool for SCM instead an internal offering.

I was able to find the following doc: http://mercurial.selenic.com/wiki/CorporateMercurial  that outlines your corporate use. Is there any additional documentation that you all have that discusses your policy on Mercurial security?

Thanks!

Philip McAdams
Software Configuration Management Engineer
NSG ISE Test Engineering & SCM
Desk: (916) 377-6156 Cell: (678) 770-3176 Pole: FM3-1-D7



-----Original Message-----
From: Augie Fackler [mailto:raf at durin42.com] 
Sent: Tuesday, December 16, 2014 3:08 PM
To: Mcadams, Philip W
Cc: mercurial at selenic.com
Subject: Re: Mercurial Security Review


On Dec 16, 2014, at 2:57 PM, Mcadams, Philip W <philip.w.mcadams at intel.com> wrote:

> Here at our organization Intel we are required to perform a security review on the Mercurial application. We have been requested to reach out to your team to get answers to the following questions and roll them back to IT. Can you please answer the following questions?:

Mercurial is open-source software, so I'm not sure what you're expecting here. Certainly Intel is familiar with OSS and how it works?

>  
> Are you following a Security Development Lifecycle (SDL) Process?  Please provide a description of the SDL process followed.
> Are application security reviews incorporated into your SDL process?  Please provide a description of the application security review process followed.
> Do you conduct security reviews? If so, What?
> Do you use any tools to test for vulnerabilities?
> Static Code Analysis tools
> Dynamic Code Analysis Tools
> Penetration testing tools
> Can you provide the results of these vulnerability reviews performed?
> Have you closed on vulnerabilities found for the subject application using these application security reviews?
> Are you committed to perform regular security reviews of the application and resolving vulnerabilities identified?
>  
> Thank you.
>  
> Philip McAdams
> Software Configuration Management Engineer NSG ISE Test Engineering & 
> SCM
> Desk: (916) 377-6156 Cell: (678) 770-3176 Pole: FM3-1-D7
>  
> _______________________________________________
> Mercurial mailing list
> Mercurial at selenic.com
> http://selenic.com/mailman/listinfo/mercurial




More information about the Mercurial mailing list