[quote="coleray, post:1, topic:6393"] Some gaps to be addressed for ROS2 Crystal: * Secure services and parameters * Secure key storage * Automated security recommendations and configuration * Secure, signed configurations management * Auditing and logging * External network connectivity * Security best practices * Promoting security-driven tests [/quote] It's not realistic for ROS2 Crystal as well however worth to be considered for the long time roadmap: * integration of fuzzy testing in to the CI environment There is a [nice read (blog post of a Security Engineer)](https://www.fastly.com/blog/how-bootstrap-self-service-continuous-fuzzing) about how to integrate public repositories into [Google OSS-Fuzz](https://github.com/google/oss-fuzz) ("continous open source software fuzzying as a service") and about how to make OSS-Fuzz work for private repositories. Google tries to motivate people to integrate projects into OSS-Fuzz with [patch rewards](https://www.google.com/about/appsecurity/patch-rewards/)... probably an interesting model to get people like aliasrobotics.com (@EndikaGu) involved into ROS2 security improvement ;-) . However OSS-Fuzz based Fuzzy Testing addresses low levels of abstraction (source code like `rclcpp`, `rclc`, `rmw`) the priority in comparison to the other point in the list (higher levels of abstraction like features, "security by design") is quite low. Nevertheless worth to being mention here I guess. --- [Visit Topic](https://discourse.ros.org/t/ros2-security-working-group-online-meeting/6393/2) or reply to this email to respond. If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates. ______________________________________________________________________________ ros-users mailing list ros-users@lists.ros.org http://lists.ros.org/mailman/listinfo/ros-users Unsubscribe: