Good time of the day!
While browsing through the website, github, and the forums I could not find much data on security monitoring and maintenance becoming more and more important for IoT devices. I have the following questions:
1. Does anybody keep track of vulnerabilities and exposures of MicroPython implementation and its ports?
2. Does the development team make sure that the latest security patches are applied to MicroPython dependencies?
3. Does anyone run security scanning SW on the MicroPython code base?
Thank you very much in advance!
Best,
Alexei Sintotski
MicroPython security process?
Re: MicroPython security process?
Hi!
The general answer to your questions is that, if you develop an IoT device and security is important to the application, then you should have your own procedures in place to make sure your device and all the code meets the security requirements (or otherwise) of the application. For example, MicroPython is used in a lot of medical devices and the usual safety and certification requirement of medical devices apply to MicroPython and all the associated code in the same way they would to a C++ code base.
When you build a device using MicroPython there will be a large amount of application-specific code written by yourself in Python (and maybe C). This code becomes part of the overall system and must be audited/etc as a whole.
That said, of course we do try to stay on top of vulnerabilities that impact MicroPython and that we have a chance to fix. A lot of the components that are exposed to the outside world (the surface area) like WiFi and Bluetooth usually interface to the world via third-party components. Eg on esp32 WiFi vulnerabilities need to be addressed in the Espressif IDF component that we use. For TLS we use mbedtls and we assume it has its own procedures in place with regards to security and vulnerabilities.
To try and answer your questions directly: 1) There is no particular person assigned to tracking vulnerabilities. Usually the community brings up issues when they arise. 2) If we are made aware of critical patches in third party components then we aim to update them as soon as practical. 3) We have an extensive test suite and coverage analysis which is run on each commit. People have run fuzzing on the code base and that has picked up issues which were resolved, but that is not an ongoing process.
The general answer to your questions is that, if you develop an IoT device and security is important to the application, then you should have your own procedures in place to make sure your device and all the code meets the security requirements (or otherwise) of the application. For example, MicroPython is used in a lot of medical devices and the usual safety and certification requirement of medical devices apply to MicroPython and all the associated code in the same way they would to a C++ code base.
When you build a device using MicroPython there will be a large amount of application-specific code written by yourself in Python (and maybe C). This code becomes part of the overall system and must be audited/etc as a whole.
That said, of course we do try to stay on top of vulnerabilities that impact MicroPython and that we have a chance to fix. A lot of the components that are exposed to the outside world (the surface area) like WiFi and Bluetooth usually interface to the world via third-party components. Eg on esp32 WiFi vulnerabilities need to be addressed in the Espressif IDF component that we use. For TLS we use mbedtls and we assume it has its own procedures in place with regards to security and vulnerabilities.
To try and answer your questions directly: 1) There is no particular person assigned to tracking vulnerabilities. Usually the community brings up issues when they arise. 2) If we are made aware of critical patches in third party components then we aim to update them as soon as practical. 3) We have an extensive test suite and coverage analysis which is run on each commit. People have run fuzzing on the code base and that has picked up issues which were resolved, but that is not an ongoing process.
-
pythoncoder
- Posts: 5956
- Joined: Fri Jul 18, 2014 8:01 am
- Location: UK
- Contact:
Re: MicroPython security process?
@hitman You might be interested in this approach.
Peter Hinch
Index to my micropython libraries.
Index to my micropython libraries.