Code Audit Report for RPKI
Dear colleagues, Continuing from the work we started last year on strengthening our security compliance, we have asked an external party to carry out a security audit of our RPKI code. This was an important element in preparation for open sourcing the RPKI core code, which will be done in early January 2022. We are publishing the security report for the second year in an effort to increase transparency and trust in the RPKI system. On our website [0], you will now find the code audit report written by Radically Open Security 2021 and our response to their findings. We hope you will find these reports useful, and we look forward to your feedback. [0] - https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/security-a... Kind regards, Bart Bakker Senior Software Engineer RIPE NCC
Dear Bart, RIPE NCC RPKI team, On Fri, Dec 03, 2021 at 12:47:05PM +0100, Bart Bakker wrote:
Continuing from the work we started last year on strengthening our security compliance, we have asked an external party to carry out a security audit of our RPKI code. This was an important element in preparation for open sourcing the RPKI core code, which will be done in early January 2022.
That is welcome news!
We are publishing the security report for the second year in an effort to increase transparency and trust in the RPKI system. On our website [0], you will now find the code audit report written by Radically Open Security 2021 and our response to their findings.
We hope you will find these reports useful, and we look forward to your feedback.
[0] - https://www.ripe.net/manage-ips-and-asns/resource-management/rpki/security-a...
Thank you for sharing this. Both the audit report and the response to the audit report seemed comprehensive and informative. Out of curiosity, will RIPE NCC employ a different (new) auditor in 2022? Periodically changing auditors can potentially help increase the diversity in terms of perspective on code and security. Each auditor represents 'fresh eyes', a useful characteristic when dealing with complex systems. Kind regards, Job
Dear Job, Thanks for taking interest.
On Dec 9, 2021, at 3:46 PM, Job Snijders <job@fastly.com> wrote:
Thank you for sharing this. Both the audit report and the response to the audit report seemed comprehensive and informative.
Out of curiosity, will RIPE NCC employ a different (new) auditor in 2022? Periodically changing auditors can potentially help increase the diversity in terms of perspective on code and security. Each auditor represents 'fresh eyes', a useful characteristic when dealing with complex systems.
We agree on this. Preliminary to making an audit, we select an auditing company that best matches our criteria for the specific audit. In 2021, we found that Radically Open Security best fit our requirements for our needed audits. In 2020, we had penetration tests done by a different auditing company. Through this exercise, we also found that not all auditors allow the publication of the results. Since this is something we value, we will continue to select auditors that allow us to make the results publicly available. Having different perspectives is another important criterion, so we'll make sure we explore other vendors during the selection process. Hope this helps. Kind regards, Bart Bakker RIPE NCC
participants (2)
-
Bart Bakker -
Job Snijders