Firewall Wizards mailing list archives
Re: Penetration testing via shrinkware
From: "Joseph S. D. Yao" <jsdy () cospo osis gov>
Date: Tue, 22 Sep 1998 11:23:54 -0400 (EDT)
I have never seen any data that suggest that formally-evaluated systems are (much, if any) higher quality than non-evaluated systems. ...
Interestingly, the largest base of peer-reviewed software around appears to be much more stable than that most commercial systems of any kind. I'm referring, of course, to Open Source software - GNU, *BSD, Linux, et al. It also affords much quicker upgrade turn-around time. Of course, "stable" has more than one meaning ... and that same software is far from stable, if you want a product that doesn't change for a long period of time [and thus has no new bugs introduced]. Right now, there's an attempt to do a Security Audit on Linux and the software that runs on it. It's interesting - perhaps someone should document it. Despite the "peer review", there had previously been no formal effort to remove vulnerabilities. And they're finding potential vulnerabilities - or they think they are - right and left. This from the system I had just described as more stable than most. But the people doing this are just volunteers with no special training. In fact, from what I can tell, their abilities range all over the map. It's possible that "cookbook vulnerabilities" that some of them are finding really aren't. It's also possible that they're missing some. What does this mish-mash of observations tell us? Nothing new. The art of software development is still in its childhood. Programmers abound, but software engineers - or programmers who use a software engineering approach - are few and far between. There is no method that is "foolproof"; and if one existed, it probably wouldn't be "damfoolproof". Peer review is wonderful, but first you need (a) something against which to review (specifications? design?), (b) perhaps a methodology, (c) certainly a methodological approach, and (d) probably some talent. And formal proofs are behind even that curve. ;-) -- Joe Yao jsdy () cospo osis gov - Joseph S. D. Yao COSPO Computer Support EMT-A/B ----------------------------------------------------------------------- PLEASE ... send or Cc: all "COSPO Computer Support" mail to sys-adm () cospo osis gov ----------------------------------------------------------------------- This message is not an official statement of COSPO policies.
Current thread:
- Re: Penetration testing via shrinkware, (continued)
- Re: Penetration testing via shrinkware Crispin Cowan (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware John McDermott (Sep 19)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Ted Doty (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 21)
- Re: Penetration testing via shrinkware Darren Reed (Sep 22)
- Re: Penetration testing via shrinkware Ted Doty (Sep 22)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 22)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 24)
- Re: Penetration testing via shrinkware tqbf (Sep 21)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)
- Re: Penetration testing via shrinkware Joseph S. D. Yao (Sep 21)
- Re: Penetration testing via shrinkware Paul D. Robertson (Sep 20)
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 20)