[quote="coleray, post:1, topic:6393"]
Some gaps to be addressed for ROS2 Crystal:
* Secure services and parameters
* Secure key storage
* Automated security recommendations and configuration
* Secure, signed configurations management
* Auditing and logging
* External network connectivity
* Security best practices
* Promoting security-driven tests
[/quote]
It's not realistic for ROS2 Crystal as well however worth to be considered for the long time roadmap:
* integration of fuzzy testing in to the CI environment
There is a [nice read (blog post of a Security Engineer)](
https://www.fastly.com/blog/how-bootstrap-self-service-continuous-fuzzing) about how to integrate public repositories into [Google OSS-Fuzz](
https://github.com/google/oss-fuzz) ("continous open source software fuzzying as a service") and about how to make OSS-Fuzz work for private repositories. Google tries to motivate people to integrate projects into OSS-Fuzz with [patch rewards](
https://www.google.com/about/appsecurity/patch-rewards/)... probably an interesting model to get people like aliasrobotics.com (@EndikaGu) involved into ROS2 security improvement ;-) . However OSS-Fuzz based Fuzzy Testing addresses low levels of abstraction (source code like `rclcpp`, `rclc`, `rmw`) the priority in comparison to the other point in the list (higher levels of abstraction like features, "security by design") is quite low. Nevertheless worth to being mention here I guess.
---
[Visit Topic](
https://discourse.ros.org/t/ros2-security-working-group-online-meeting/6393/2) or reply to this email to respond.
If you do not want to receive messages from ros-users please use the unsubscribe link below. If you use the one above, you will stop all of ros-users from receiving updates.
______________________________________________________________________________
ros-users mailing list
ros-users@lists.ros.org
http://lists.ros.org/mailman/listinfo/ros-users
Unsubscribe: <
http://lists.ros.org/mailman//options/ros-users>