A recent backdoor breach in Debian SSH connections, facilitated by an adversarial code contribution to the xz/liblzma project[1], underscores the need for rigorous vetting of code, contributors and intent. wolfSSL Inc. implements stringent procedures to prevent scenarios like malicious code merges.
For non-employee code contributors:
- An authorized wolfSSL Inc. employee provides written acceptance to evaluate proposed code changes, signaling to other employees that the changes have been vetted for suspect code patterns and desirable content is present in the proposal
- wolfSSL Inc. conducts a legal review of contributors’ signed agreements and approval history, considering factors such as organizational changes and the ongoing justification for contribution irrespective of desirable content.
- wolfSSL Inc requires a written explanation from the author summarizing the benefits of the proposed change and project involvement justifying the proposal.
- Prior to code merge, all continuous integration tests must pass, including static and dynamic analysis. Performance and resource criteria must also be met, confirming no significant negative impact on throughput, performance, or binary object size.
- Prior to code merge, and in addition to the first authority approval, 1-4 wolfSSL Inc employees must review the code for final approval. Unreviewed code is never merged.
Internally, code changes from employees are also thoroughly vetted, including an identical code review process:
- wolfSSL Inc requires a written explanation from the employee author summarizing the benefits of the proposed change.
- Prior to code merge, all continuous integration tests must pass, including static and dynamic analysis and performance criteria.
- Prior to code merge, 1-3 additional wolfSSL Inc employees must review the code for final approval. Unreviewed code is never merged.
On a daily basis, all code is subjected to extensive offline analysis, targeting a wide variety of systems and configurations. Historical, current, and prerelease toolchains and analyzers are used in vetting. Before tagging a release, wolfSSL has a policy of zero reported defects from the continuously updating and expanding mainline automated analysis suite.
These processes exemplify wolfSSL Inc.’s commitment to safeguarding source code against malicious backdoor introductions, and other suspect code patterns, intentional or otherwise.
References
If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now