Re: Gauntlet: source code anyone ?

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Marcus J. Ranum, sie wrote:
[...]
> > 2. vendors don't appear to do a lot of testing, particularly of boundary
> >   cases (just like all good s/w engineers should);
>
> Typically, zilch.
>
> > 3. vendors don't appear to have a very good quality control;
>
> Typically, zilch.
>
> > 4. those who buy commercial firewall products aren't interested in
> >   doing a code review of their vendor.
>
> Typically, zilch.

It occurs to me that the above three points are problems with the
process(es) being used by the companies manufacturing firewall products
and thus should be fixable...

ICSA supposedly reserve the right to brand firewalls "approved" or not,
hoping to distinguish worthy products from the unworthy, but how rigorous
are their tests ? Do they enter 1MB long strings/maximum size strings
with potentially confusing data at each and every input, including those
derived from external sources such as DNS, as an example to test
susceptibility to buffer overflows ?  Even if they did, is this likely
to help customers, or do we require something else which says your
product can only be categorised as a firewall if it is "approved" or
for Government to say that they'll only purchase "approved" products ?
(Heck, maybe requirements for branding something "Unix" should be required
 to changed to include the above too - or maybe not as then it wouldn't be
 "Unix" without buffer overflows ;-)

I'm sure that there is plenty of negativity around about how useful that
would be, but it seems that the vendors are of questionable capability,
so hence there needs to be someone else to set the level of the bar.

Darren