Mercurial Security Review
Augie Fackler
raf at durin42.com
Wed Dec 17 00:03:52 UTC 2014
On Dec 16, 2014, at 6:57 PM, Mcadams, Philip W <philip.w.mcadams at intel.com> wrote:
> Augie,
>
> To provide some scope we work in a business group called NSG within Intel. We utilize Mercurial to manage our Source Code and our Intel IT group informed us that they are performing a security audit. These questions were provided to our group by IT as they have informed us of a security audit that is currently taking place.
>
> Intel is familiar with OSS. We were provided the questions outlined in case we use a third party software tool for SCM instead an internal offering.
>
> I was able to find the following doc: http://mercurial.selenic.com/wiki/CorporateMercurial that outlines your corporate use. Is there any additional documentation that you all have that discusses your policy on Mercurial security?
I guess I'm not sure what you're asking, because now it sounds very much like you want advice on locking down Mercurial servers, whereas before you were asking questions about enterprisey things like our "Software Development Lifecycle" which is clearly nonsense to any meaningfully bazaar-style OSS project.
The wikipage you've linked to is some high-level advice on how to secure Mercurial within a corporation, but is not how the Mercurial project is developed. Understanding that wikipage should let you be empowered to make your own decisions. Does that help?
I can't really guess what your security auditors are looking for. It might be more fruitful to have them ask us any relevant questions directly on this mailing list (which, btw, is public)?
> Thanks!
>
> Philip McAdams
> Software Configuration Management Engineer
> NSG ISE Test Engineering & SCM
> Desk: (916) 377-6156 Cell: (678) 770-3176 Pole: FM3-1-D7
>
>
>
> -----Original Message-----
> From: Augie Fackler [mailto:raf at durin42.com]
> Sent: Tuesday, December 16, 2014 3:08 PM
> To: Mcadams, Philip W
> Cc: mercurial at selenic.com
> Subject: Re: Mercurial Security Review
>
>
> On Dec 16, 2014, at 2:57 PM, Mcadams, Philip W <philip.w.mcadams at intel.com> wrote:
>
>> Here at our organization Intel we are required to perform a security review on the Mercurial application. We have been requested to reach out to your team to get answers to the following questions and roll them back to IT. Can you please answer the following questions?:
>
> Mercurial is open-source software, so I'm not sure what you're expecting here. Certainly Intel is familiar with OSS and how it works?
>
>>
>> Are you following a Security Development Lifecycle (SDL) Process? Please provide a description of the SDL process followed.
>> Are application security reviews incorporated into your SDL process? Please provide a description of the application security review process followed.
>> Do you conduct security reviews? If so, What?
>> Do you use any tools to test for vulnerabilities?
>> Static Code Analysis tools
>> Dynamic Code Analysis Tools
>> Penetration testing tools
>> Can you provide the results of these vulnerability reviews performed?
>> Have you closed on vulnerabilities found for the subject application using these application security reviews?
>> Are you committed to perform regular security reviews of the application and resolving vulnerabilities identified?
>>
>> Thank you.
>>
>> Philip McAdams
>> Software Configuration Management Engineer NSG ISE Test Engineering &
>> SCM
>> Desk: (916) 377-6156 Cell: (678) 770-3176 Pole: FM3-1-D7
>>
>> _______________________________________________
>> Mercurial mailing list
>> Mercurial at selenic.com
>> http://selenic.com/mailman/listinfo/mercurial
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20141216/a7ea77e4/attachment.asc>
More information about the Mercurial
mailing list