OpenSSH Security Testing Kick Off

PowerShell Team

May 1st, 2017

Over the past while, we’ve been very busy porting OpenSSH to Win32. We’ve been working with the OpenSSH community in our GitHub repository, and are nearing a point where we are taking steps to make it production ready.

Security is obviously something that we have focused on during every phase of the project. As part of this production readiness phase, however, we are additionally funding an extensive penetration test. We have engaged Casaba Security as part of this effort, who will be digging deep into the implementation over the next 1-2 months.

As with all aspects of this project, one of our main goals is to contribute to the OpenSSH community as a whole, not just to create a Microsoft fork. As such, the scope of this analysis will include Microsoft contributions, but will dedicate significant time to OpenSSH core as well.

We will of course share the findings and final report from this review with the community.

Please Join Us!

As part of this phase, we’d love your participation, as well!

We’re keeping extensive design documentation for all decisions we’ve been making, especially security-sensitive ones. We’ve been tracking security discussions and issues as they arise. And there’s code. Lots of it J

We’d appreciate any expertise you’d like to contribute: security design reviews, security code reviews, security fixes for open issues, security testing, fuzzing, you name it. And don’t limit yourself to the Windows parts – findings in any aspect of OpenSSH improve the security of the whole community and industry.

Reporting Issues

If you think you’ve found a security vulnerability, please follow the OpenSSH reporting guidance by sending an email to openssh@openssh.com.

If you’ve got other forms of security feedback (for example, design feedback or defence-in-depth feedback), please use the [Security] prefix and file a GitHub issue.

We look forward to your feedback!

Lee Holmes Principal Security Architect Azure Management