Security

From OPeNDAP Documentation

1 Security Working Group

1.1 Motivation

We want to develop a policy that helps both OPeNDAP and the people who run our software to be confident that using the software does not substantially increase the level of risk of a computer/network security problem. We know that risk is inherent in using computer networks, but it can be managed and reduced by avoiding certain behaviors. The policy we develop here should address those behaviors. As we do this, we can hopefully increase awareness about computer security in the OPeNDAP community to the point where more services become available for users.

1.2 Statement of Work

  1. Evaluate existing Computer and Network security policies
  2. Distill from those elements which apply to OPeNDAP and its community of users
  3. Determine if we need to address both Servers and Clients in separate policies or not, or if we only need to address Server security
  4. Make recommendations to OPeNDAP regarding its Interim policy
  5. Develop a Community policy if that's appropriate
  6. Move on from policy to procedures, it that seems appropriate

1.3 Working Documents

  1. Strawman Security Policies
  2. OPeNDAP Security Policy and Procedures

1.4 Members

  1. James Gallagher
  2. Jerry Pan
  3. Chris Lynnes
  4. John Caron
  5. Rob De Almeida

1.5 Resources

Most of these resources are aimed at sites running computers. We do that, but information targeted at developers of the software others run seems harder to find. See below for more comments.

  • OWASP The Open Web Application Security Project has produced a Guide (pdf) which is widely used as an introduction to security issues.
  • cert.org This is a good site for information about code standards for C and C++ (there's nothing here for Java I could find).
  • The Center for Internet Security
  • ISO 17799 ISO 17799 (and its sister standard, whose number escapes me) are the 'big daddies' of security policies. They are certainly overkill for us, but chapter 8 and chapter 13 address software development and might have some interesting ideas. It would be a good idea to not contradict this standard, at the least.
  • SANS SANS seems like one of the best resources out there. I found this on my own and Jeff Ogata also recommended it. This is their section on policies, but they offer much more.
  • information-security-policies-and-standards.com
  • Here's a paper on Free and/or Open Source Software that has some interesting references.