OFBiz OFBiz - Dev

Monitor security fixes in embedded libraries

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Monitor security fixes in embedded libraries

Jacques Le Roux
Administrator
Hi,

I believe we currently have no plans to monitor security fixes in embedded libraries. So I guess, from time to time, or for a reason, a committer gets a look to a lib and update it. We are quite blind.

Unfortnately, I think there are no free tools in the IT industry. Paying ones exist, like http://www.tenable.com/products/securitycenter (found at https://cve.mitre.org/compatible/vulnerability_alerting.html)

So all we can do is to subscribe to services like https://www.kb.cert.org/vuls/
I just susbcribed to "National Cyber Awareness System Mailing Lists" (US gov), is something else doing so?
Weirdly the EU has no such ML http://cert.europa.eu/cert/newsletter/fr/latest_Security%20Bulletins_.html  (?) Only a RSS feed http://cert.europa.eu/cert/filteredition/en/CERTNewsFilter.html

Jacques
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Monitor security fixes in embedded libraries

Jacques Le Roux
Administrator
Are we sure all the libs we use are safe?
For instance, I'd love to have a tool like this one http://open.bekk.no/retire-js-what-you-require-you-must-also-retire generalised to jQuery plugins and java libs (not sure if this one is good, not tested, just an example)

Jacques

On Saturday, November 16, 2013 11:36 AM Jacques Le Roux <[hidden email]> wrote:

> Hi,
>
> I believe we currently have no plans to monitor security fixes in embedded libraries. So I guess, from time to time, or for a
> reason, a committer gets a look to a lib and update it. We are quite blind.
>
> Unfortnately, I think there are no free tools in the IT industry. Paying ones exist, like
> http://www.tenable.com/products/securitycenter (found at https://cve.mitre.org/compatible/vulnerability_alerting.html)
>
> So all we can do is to subscribe to services like https://www.kb.cert.org/vuls/
> I just susbcribed to "National Cyber Awareness System Mailing Lists" (US gov), is something else doing so?
> Weirdly the EU has no such ML http://cert.europa.eu/cert/newsletter/fr/latest_Security%20Bulletins_.html  (?) Only a RSS feed
> http://cert.europa.eu/cert/filteredition/en/CERTNewsFilter.html 
>
> Jacques
Free forum by Nabble Edit this page