Best practices on Connector's secure software development

[mabuse68]

Hi all,
Is there any publicly shareable information about this project's secure software development practices?
I am aware of the Eclipse Foundation Development Process; however, the process doesn't detail security-specific preparation and practices besides documenting the vulnerability discovery/resolution process.

[edit]
Perhaps I should reformulate my question: "Can we assume that the Eclipse-EDC Connector project follows the same principles that Tractus-X Sig-Security defines?

[jimmarino]

This question is too open-ended and general to answer. If you have a specific security-related question about the codebase, please feel free to post it.

[mabuse68]

Hi J.
Thanks for your answer.
I don't think the reformulation I added in my edit is that open-ended. Indeed a simple "YES" of "No" is the expected answer.

It would help us a lot, when talking to our partners, to reassure them that the code is developed following best practices of secure coding. In the Tractus-X project this is decently documented.

[jimmarino]

What does "best practices of secure coding" mean specifically? There are many opinions and ideas about what that entails.

The documents you pointed to are open-ended and very high-level, and a simple "yes" or "no" is not possible. EDC adoptors must conduct their own security assessments as their requirements will vary, and given that, should never accept a "yes/no" answer without that assessment.

Committers are happy to help answer specific questions, but they cannot be expected to devote time to broad questions like this.

[mabuse68]

Ok, so the answer is: "NO".
To my knowledge secure development has been defined under several framework. So, it might be a practice more than an opinion, NIST 800-618 ](https://csrc.nist.gov/pubs/sp/800/218/final) being an example.
Thanks for the time taken to answer me.

[jimmarino]

I didn't say "No." I said the question can't be answered as formulated because it is too vague. And yes, there are many different opinions and requirements concerning what it means for software to be developed according to "secure coding" practices as evidenced by all of the "standards," "frameworks," and "methodologies" focused on that space, including NIST.