Dragan our experience is that organisations often adopt something like BlackDuck and then use that as their benchmark.
On Sun, Apr 15, 2018 at 10:59 AM, Dragan Djuric <draga...@gmail.com> wrote: > Hi all. Very interesting thread! I guess that not many Clojure developers > are in this situation, but I hope many more will be; that would mean that > Clojure got the foot in the door of the enterprise. > > Gregg, I need a little clarification on the last thing you mentioned: Is a > dependency treated as secure and given the green checkmark in usual > security procedures if there is a (community) security audit that > systematically listed vulnerabilities and recommended ways to avoid them? > What is (in your experience with banking) the minimum amount of "burden" > necessary so that an artifact is given a passing mark? Is there a broader > standard, or each client has its own checklist? How defined those > procedures are? Do they update at glacial place, or a good and honest > efforts on case-to-case basis are accepted (such as hiring a security > expert to audit the code with not-so-standard procedures)? > > On Friday, April 13, 2018 at 11:24:54 PM UTC+2, Gregg Reynolds wrote: >> >> >> >> On Fri, Apr 13, 2018, 4:09 PM Aaron Bedra <aaron...@gmail.com> wrote: >> >>> Penetration testing is something performed on an application, but a >>> source code review of the language is certainly an interesting idea. My >>> company does these all the time. I ran this by my folks and there was >>> certainly interest. If we could publish the results and create a healthy >>> discussion my company would be happy to participate and do this at a fixed >>> and heavily discounted price. >>> >> >> Naive question from the clueless peanut gallery: are you talking about a >> security audit of clojure core (& etc) source, which could then be cited as >> evidence by app developers? >> >> E.g. I build an app against a signed version of clojure which is >> "certified" in some sense? Then I only have to audit my code (and lib >> dependencies)? >> >> Gregg >> > -- > You received this message because you are subscribed to the Google > Groups "Clojure" group. > To post to this group, send email to clojure@googlegroups.com > Note that posts from new members are moderated - please be patient with > your first post. > To unsubscribe from this group, send email to > clojure+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/clojure?hl=en > --- > You received this message because you are subscribed to the Google Groups > "Clojure" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to clojure+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
