From Symbian Developer Community

The Security Strategy Working Group (SSWG) is a working group reporting to the Symbian Foundation Architecture Council (AC).

Contents 1 Aims 2 Mandate 3 Scope 4 Structure 5 Work Items 6 Working Group Meetings 7 Mailing List

Aims

• produce guidelines and recommend processes to maintain the security of the Symbian Platform
• identify gaps, if any, in the current platform security architecture
• identify operational entities which are required to support effective running of the recommended processes
• recruit volunteers from the community to establish the identified operational entities

Mandate

The SSWG was approved at the AC meeting held in Helsinki on 27th August 2009. The AC will ratify the recommendations of the SSWG. The SSWG will be wound up once identified operational entities are in place (target of end Q2 2010).

The SSWG will broadly follow the operating principles outlined in the Working Group Guidelines, with some exceptions:

• membership — open to anyone, whether or not associated with a Symbian Foundation member company.
• communication — work items will be progressed primarily on the mailing list, secondarily in the Security forum, with exceptional teleconferences and/or face-to-face meetings. Mailing list archives will be open to anyone.
• voting — it is not anticipated that there will be votes within the WG; if consensus cannot be achieved, the differing points of view will be represented impartially to the AC.

Scope

In Scope

• security of devices based on the Symbian Platform

• process for handling reports of potential security vulnerabilities
• process for notification of the availability of security fixes
• managing security risks of packages moving to open source

• security assurance of contributed code

• process for monitoring use of capabilities
• guidelines for secure coding and code audit
• potential for use of static analysis tools (e.g. Coverity)

• architectural measures to support platform security

• e.g. improving the “patchability” of read-only file systems
• possible inclusion of a client for security patch distribution

Partially in Scope

• Symbian Signed

• security of the symbiansigned.com portal is probably out of scope
• interaction of application acceptance criteria and use of capabilities in the Symbian platform is probably in scope

Out of Scope

• security of Symbian Foundation services

• e.g. symbian.org collaboration infrastructure, Symbian Horizon

Structure

Chaired by the Symbian Foundation:

• Craig Heath, Chief Security Technologist

Individual work items led by named working group members, assisted by contributions from other working group members. Inviting representation from:

• Device manufacturers
• Security researchers
• Network operators
• Package owners and committers
• Security tools vendors

No formal sub-groups have been proposed.

Work Items

Proposed work items from the informal kick-off meeting (further details in the minutes):

• Security incident handling process
• Patch management and vulnerability mitigation
• Threat analysis of granting the "extended" capability set (CommDD, DiskAdmin, MultimediaDD, NetworkControl)
• Guidelines for package owners in accepting contributions

Working Group Meetings

• Informal Interest Group 27-08-2009 Meeting Agenda & Minutes

Mailing List

Security Strategy Working Group Mailing List

Comments

Sign in to comment…