Firewall Wizards mailing list archives

Re: Sardonix Security Auditing Portal

From: Crispin Cowan <crispin () wirex com>
Date: Fri, 08 Feb 2002 15:20:31 -0800

Paul Robertson wrote:

On Tue, 5 Feb 2002, Crispin Cowan wrote:

Since then, LSAP has failed to really live up to its mission.  While the
LSAP mailing list has become a very nice chat room for discussing
security issues, not much software is actually audited any more.

Might that be because the LSAP hasn't encouraged new auditors- without a
"how do I audit code?" section, people who aren't accomplished in
whichever language it is won't begin in a place where they could learn and
be useful.

LSAP did have some encouragement/howto docs, but could have done itbetter. We're trying to do it better.

* Repository for audited code:  importantly, identifying who has
     audited the code, and what issues were found.

Some sort of independent verification or validation would probably help
significantly.

That stuff about subsequent audits and scoring is intended to providefor validation.

* the karma whore effect: we conjecture that a web site that will
     mechanically compute a number of how l33t you are will attract
     people to audit code.  Consider how hard people will work just
     score karma points on Slashdot :-)

How will you ensure that people aren't auditing outdated code for which a
fix already exists?  What about the kharma whoring "I'll create bad code
and you fix it" stuff?

Each candidate program will have links to the package's home page. Itshouldn't be very difficult to detect when an audit references a badlydated version. However, there is utility in auditing an older stableversion in the face of a newer beta.

We also will be encouraging responsible reporting. The audit submission
form explicitly asks you if you have followed the RFP
http://www.wiretrip.net/rfp/policy.html and notified the package
maintainer prior to publishing your findings.

Perhaps getting into escrowing the reports would be useful?

Actually we have an elaborate escrow planhttp://archives.neohapsis.com/archives/nfr-wizards/1999_2/0416.html butdon't intend to deploy it for a while yet.


Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

       The Olympic Games: A Century of Corruption and Graft
             The FIS: Crushing the soul of snowboarding


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Sardonix Security Auditing Portal Crispin Cowan (Feb 05)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)
  - Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 08)
- Re: Sardonix Security Auditing Portal Paul Robertson (Feb 08)
  - Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 09)