Firewall Wizards mailing list archives

Re: Sardonix Security Auditing Portal

From: Crispin Cowan <crispin () wirex com>
Date: Thu, 07 Feb 2002 23:57:59 -0800

John McDermott wrote:

I would suggest adding points for providing the fix, or at least *a*
fix, even if the fix is not adopted by the code's maintainer.

I like it. I don't think it should be huge points, but I like it.

 This
removes some of the work from the maintainer and encourages the auditor
to not only discover problems, but to also discover the specifics of the
problem and how it might be fixed.  I can see, for example, an
individual beating on a tool until it fails and making a report that
with a particular input stream or whatever, the tool fails.  Actually
finding what is wrong is important so encouraging the finding of a fix
might be something to reward.

True, a report of "it segfaults when you do this" is less useful than itcould be. Also, discovering that a program can be made to segfault withbig/random inputs is not exactly a *source*code* audit.

However, it is the case that it is often a short walk from discovering aseg fault to discovering a buffer overflow or a format bug.

Another possibilty might be to award points for the creation of auditing
tools.  This is, in general, a hard problem (or else we'd all just test
our code with the one true audit program and the site would not be
necessary).  Rewarding good tools might encourage some of the research
necessary to get such tools created.

We reward auditing tools by listing them in our Auditing Resources pagehttp://sardonix.org/Auditing_Resources.html


Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

       The Olympic Games: A Century of Corruption and Graft
             The FIS: Crushing the soul of snowboarding



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Sardonix Security Auditing Portal Crispin Cowan (Feb 05)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)
  - Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 08)
- Re: Sardonix Security Auditing Portal Paul Robertson (Feb 08)
  - Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 09)