nguyenducnhaty / opengse

Automatically exported from code.google.com/p/opengse
Apache License 2.0
0 stars 0 forks source link

Get security team signoff #3

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
We need to contact security-team@google.com to confirm that we have signoff.

From http://wiki/Main/HowToOpenSourceGoogleCode :

"When open-sourcing code that is part of google3, there is always a risk
that publishing the code might expose information about our software or
systems. A good example is protocol buffers: when open-sourced, it will be
easier for users to extract information from data that might have
previously looked like binary blobs. In these cases it is important to keep
the security team in the loop so that the risk can be assessed and
ameliorated."

It is entirely possible that they will think of OpenGSE as a threat to the
security of our extant GSE-based applications, so we should be prepared for
them to ask us tough questions like:

"Someone looks at the source for OpenGSE and discovers a vulnerability in
OpenGSE that is *also* present in GSE that allows them to poke around
inside Google prod.  What tests do you have in place and/or what code
review process have you been through to assure us that this isn't an
additional risk?"

I understand that the process requires someone to go over the entire body
of code (line by line), and review it for security issues.  To expedite
this, we may want to get them involved *very* early, and we may wish to do
*extra* cleanups in the code so that it's *very* clear what the code is
doing.  I don't know how this process works, but this may mean that we have
to hand over a snapshot and wait for them to review it before releasing.

Original issue reported on code.google.com by Mickey.K...@gmail.com on 28 Jul 2008 at 8:46

GoogleCodeExporter commented 8 years ago

Original comment by Mickey.K...@gmail.com on 29 Jul 2008 at 9:31

GoogleCodeExporter commented 8 years ago
Security review has been done. We're good to go.

Original comment by mike.c.j...@gmail.com on 9 Oct 2008 at 3:34