[ros-users] [Discourse.ros.org] [Next Generation ROS] ROS2 Security Working Group Online Meeting

[Florian Kromer]

[quote="coleray, post:1, topic:6393"]
Some gaps to be addressed for ROS2 Crystal:

* Secure services and parameters
* Secure key storage
* Automated security recommendations and configuration
* Secure, signed configurations management
* Auditing and logging
* External network connectivity
* Security best practices
* Promoting security-driven tests
[/quote]

It's not realistic for ROS2 Crystal as well however worth to be considered for the long time roadmap:

* integration of fuzzy testing in to the CI environment

There is a [nice read (blog post of a Security Engineer)](https://www.fastly.com/blog/how-bootstrap-self-service-continuous-fuzzing) about how to integrate public repositories into [Google OSS-Fuzz](https://github.com/google/oss-fuzz) ("continous open source software fuzzying as a service") and about how to make OSS-Fuzz work for private repositories. Google tries to motivate people to integrate projects into OSS-Fuzz with [patch rewards](https://www.google.com/about/appsecurity/patch-rewards/)... probably an interesting model to get people like aliasrobotics.com (@EndikaGu) involved into ROS2 security improvement ;-) . However OSS-Fuzz based Fuzzy Testing addresses low levels of abstraction (source code like `rclcpp`, `rclc`, `rmw`) the priority in comparison to the other point in the list (higher levels of abstraction like features, "security by design") is quite low. Nevertheless worth to being mention here I guess.





---
[Visit Topic](https://discourse.ros.org/t/ros2-security-working-group-online-meeting/6393/2) or reply to this email to respond.