voltone
21
February 5, 2025
Participants: Dan Janowski, @varnerac, Lee Barney, @maennchen, @voltone, Marc Nickert, Michael Lubas, Paul Swartz, Bas Wegh, @kiko
Compliance updates
CNA (CVE Numbering Authority)
- Still pending a response from MITRE
- Proposed meeting slots in February approaching
CISA Self Attestation and NIST SSDF
- To be discussed in call with NIST
- Some uncertainty about whether EEF can do this on behalf of projects
OpenChain
Source SBoM of OTP
- Contributions to OSS Review Toolkit accepted
- Source SBOM will be published with OTP releases starting with OTP 28
- Working on splitting SBOM by application
Application for Supply Chain Funding
- Trying to obtain funding for ongoing supply chain work
- Next step: align with documented package manager best-practices
- Get hex.pm involved, as well as build tools (Mix, Rebar3)
Erlang distribution protocol hardening
- Picking up discussion started in Slack
- Initial idea (Dan): make it easier to secure with TLS out of the box
- Issuing certificates
- Injecting kernel parameters
- Broader use-cases (Lee): connecting (possibly transient) nodes across the Internet
- Instead of having to go through e.g. HTTPS
- Large clusters, frequent membership changes, unreliable nodes
- Security aspects just one part of it
- Invited Lee to present his work to the group in the future
- Offered Dan support with first round of research into possible approaches
Other updates
PenTest Sample App
- Michael just finished pen-testing Oban Pro, might be interested
- Need to start collecting requirements for the app’s scope
- Take it to Slack or Notion (see below)
WG collaboration tooling
- We have access to Notion, with non-profit discounts
- Read-only access is free, must pay per write-enabled seat
- Currently being used by @maennchen for broader EEF work
- Open it up a bit, start linking from Slack and meeting notes
- Create a landing page for the WG
- Keep licensed seats at a minimum
Next meeting
Wed 5 March 2025 at 16:00 CET / 15:00 GMT / 10am EST / 7am PST / 0:00 (Thu) JST
7 Likes
March 5, 2025
Participants: @maennchen, Daniel Janowski, @Alistair, @varnerac, @voltone
Updates from the CISO
CNA
- New dates in March proposed at Mitre’s request
- If/when meetings happen, CNA could be live in weeks
Grant Application
- Revised proposal, waiting for feedback
- First phase is to pen-test existing package manager integrations
- Got first offers for pen-test providers
- Started discussions with two, one for code review, one for red team
- Recommendations? Share with @maennchen
- Started to define “initiative” for EEF website for the purpose of fundraising in general
OpenChain
- Elixir: done
- Gleam: work started
NIST SSDF Sub-Standard
- Work started by Jonatan to define an SSDF “profile”
- Progress can be followed in Notion
- Contributions welcome
- Alignment with other ecosystems would be useful
- Just hard to find out who else might be working on something like this
- We asked NIST, they do not have visibility (at this time)
HTTP Clients in the ecosystem
- Lots of clients, some not actively maintained
- This state of things has security implications
- Some discussion on whether to adopt “Mint” approach for Erlang/OTP
- Try and invite @ingela @kiko and perhaps Andrea next month
Distribution TLS by default
- Two operating modes can be considered:
- PSK (not great with TLS 1.2, no support in OTP with TLS 1.3)
- Shared self-signed certificate
- Goal is to have some (build) tooling to prepare a release config “automatically”
- Align with OpenRiak, looking for migration to secure cluster
- Might need ability to listen both with and without TLS
- Configuring TLS settings at boot is tricky
- Next steps:
- Continue digging and documenting in Notion
- Discuss with OTP team, if they join next meeting (see above)
Next meeting
Wed 2 April 2025 at 16:00 CET / 15:00 GMT / 10am EST / 7am PST / 0:00 (Thu) JST
6 Likes
April 2, 2025
Participants: Daniel Janowski, @Alistair, @ingela, @varnerac, Dave Lucia, Lee Barney, George Madi, @voltone, @peerst
Secure coding curriculum
- Project by Podium:
- Currently seems abandoned, no activity for 2 years:
- Dave suggests EEF take over the GH repository
- Maintenance can be joint effort between SecWG, EduWG and TV Labs
- Next step: Dave reached out to Podium and EduWG
Compliance updates
CNA (CVE Numbering Authority)
- Meeting with MITRE finally took place:
- On track to get setup in next couple of weeks
- Need to define and document some internal policies, procedures and CVE record conventions
Erlang distribution protocol hardening
- Prototype by Daniel generates self-signed certificates using Rebar3:
- Requires OTP patch to allow
verify_fun for client certs to be customised
- Private key the same on all nodes, simplifying key distribution
- Reservations about promoting anything based on self-signed certs:
- People tend to abuse those, at the expense of security
- Peer mentioned Braid:
- Delegates cert and key management to orchestrator (e.g. fly.io)
- As discussed previously, PSK would be a good fit:
- Simplest, most universal setup, without assumptions about e.g. orchestrator
- OTP team open to contributions to add PSK to TLS 1.3
- Needs to be driven by real use-cases, starting with requirements for APIs
SEMP (Secure Erlang Message Protocol)
- Paper sent by Lee in the Slack channel (here):
- Broader scope than just secure transport
- Consider developing outside OTP as an alternative distribution protocol:
Next meeting
Wed April 30 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST
(WG Calendar is here, including subscription link to import into your calendar app)
3 Likes
April 30, 2025
Participants: @kiko, @maennchen, @voltone, Michael Lubas, Paula Calgaro, Nicholas Adams, Dan Janowski, @ingela, @Alistair, Lee Barney, George Madi, @varnerac
OTP purl type
- Proposal (from several years ago): ‘otp’ Package URL type | EEF Security WG
- Can help produce more accurate, actionable SBOMs
- EEF becoming CVE Numbering Authority gives us an opportunity to define how OTP apps will be identified in CVE records
- OTP team on board with the proposal
- Next steps: create a PR to the purl specs, then remove “draft”, write up an announcement
Marketing WG proposal: interview series
- To be published on YouTube by Marketing WG:
- Along with shorts for other social media
- Target for full length video perhaps 30 mins
- Editing/publishing/promotion done by Marketing WG
- Need to find host and interviewees:
- Several people said they would be willing to be interviewed
- Host may be trickier, may want to consider enlisting help from e.g. established podcasters
- Topic and set of questions defined beforehand:
- To be prepared by host, together with others
- Shared with interviewee, for preparation
- Consider audio-only version (podcast) as well
Updates from the CISO
- purl library moved to EEF:
- Core now in Erlang
- PR to adopt as “Security WG project”
- Consider teaming up with Build/Packaging WG
- GitHub dependency submission tool:
- Basics now working
- Ongoing work to support all features
- May require some fixes on GH side as well
- AEgis project:
- Looking for more funding/sponsors
- Dashbit joined as contributing sponsor
- OIDC Client
- Preparing for additional certification
Industry groups partnerships
- Alistair came across:
- Opportunity for EEF to join as non-profit partner
- Gives us access to resources, events
- If anyone is interested, e.g. to gain access to NIST SSCA forum, reach out to Alistair
Windows/Mac binary signing
- EEF already helps release Elixir binaries for Windows
- Could do the same for Gleam, Erlang/OTP
- Look at how Livebook handles this
- Also consider OpenRiak
- Next step: Gleam binaries for Windows, then see what’s next
Next meeting
Wed May 28 at 16:00 CEST / 14:00 GMT / 10am EDT / 7am PDT / 23:00 JST
(WG Calendar is here, including subscription link to import into your calendar app)
1 Like