diff --git a/website/content/en/status/report-2024-10-2024-12/foundation-security-audit.adoc b/website/content/en/status/report-2024-10-2024-12/foundation-security-audit.adoc new file mode 100644 --- /dev/null +++ b/website/content/en/status/report-2024-10-2024-12/foundation-security-audit.adoc @@ -0,0 +1,32 @@ +=== Security Audits + +Contact: Ed Maste + +Contact: Alice Sowerby + +The project began in Q2 of 2024 and was funded by Alpha Omega with a budget of $137,500, which was used over about six months and is now complete. +The focus was on conducting a code audit for key subsystems, bhyve and Capsicum, as well as performing a security audit of the development process. + +Q4 update + +The project is complete. + +The Code Audit and link:https://freebsdfoundation.org/wp-content/uploads/2024/11/2024_Code_Audit_Capsicum_Bhyve_FreeBSD_Foundation.pdf[subsequent reports] were released after the related Security Advisories were published. + +The Process Audit is complete. +It was created by FreeBSD Foundation staff who ran an outreach exercise to gather information about the current FreeBSD development process. +The teams consulted were: Security Team, Source Management Team, Cluster Administrators, Release Engineering Team. + +Information was gathered through an online long-form survey which was structured around existing frameworks for analysing security in software development. +Teams were asked to describe current development processes and appraise the current security practices, as well as to make suggestions for improvements. + +The responses were collated and synthesised into the report by Foundation staff. +The report was reviewed for accuracy by the original respondents. + +The report will now be made available to the Security Team and other teams previously mentioned, as well as to the Foundation executive team. +This will be a useful tool in identifying areas for investment and prioritisation going forward as more security projects are planned and funded. + +The report is intended primarily for FreeBSD Project and Foundation planning purposes and as such there is no plan to promote it to an external audience. +Interested readers should contact the Security Team to request a copy of the report. + +To learn about the project, and to see historical monthly updates visit: link:https://github.com/ossf/alpha-omega/tree/main/alpha/engagements/2024/FreeBSD[]. + +Sponsor: link:https://alpha-omega.dev/[Alpha Omega Project]