Educause Security Discussion mailing list archives
Re: Understanding the security implications of SAKAI?
From: Theresa M Rowe <rowe () OAKLAND EDU>
Date: Fri, 17 Sep 2004 20:19:44 -0400
Actually, I think about open source quite differently than I do vendor source in these areas. How do I, as a consumer, know that there are no "hidden lines" of code that could disrupt privacy or gather unauthorized information? When I worked in software development for the automotive industry some years ago, independent auditing firms were hired to review program code to check for unauthorized code, invalid formulas in business decisions, or other "untrustworthy" modules. Our university is no longer staffed to do that sort of auditing, nor could we afford an independent auditor. We write those kinds of checks into our software contract. We do use some open source, but we are very selective about where we use it. The closer it gets to official counts or monies, the more uncomfortable I am without audit controls at the code level. Theresa Rowe Oakland University
The biggest potential issues are shared by both open-source
and proprietary
systems. At a high level: - Is the design OK? - Is there an authentication model and
mechanism?
- Is there a good authorization model? - What are the administrative processes,
and do they function well?
Are administrative functions assigned and
delegated to those
with an interest (and the time) to make
the right things happen?
- Is the implementation (by the developers) OK? - Is the implementation (by the deployers) OK? - Are whole new social issues created or exposed by
the use of the system?
x - Is configuration prone to certain pitfalls? - Is installation of the underlying web app
environment prone to certain pitfalls?
- In the heat of the moment, are insecure
mechanisms chosen by developers or deployers?
The biggest risk is assuming that the platform or vendor
has figured
this out for you, so you don't have to look hard yourself.
Any powerful
general-purpose platform offers plenty of potential for bad
implementation
decisions even if the platform itself is perfect. Both
community and
local review with sufficient effort is a good idea. Ideally you'd think about the same issues for this or for,
say, a Blackboard
implementation. Liudvikas Bukys Scientist <bukys () cs rochester edu> ********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Understanding the security implications of SAKAI? James Moore (Sep 15)
- <Possible follow-ups>
- Re: Understanding the security implications of SAKAI? Liudvikas Bukys (Sep 15)
- Re: Understanding the security implications of SAKAI? Theresa M Rowe (Sep 17)