Firewall Wizards mailing list archives
Re: Sardonix Security Auditing Portal
From: Crispin Cowan <crispin () wirex com>
Date: Fri, 08 Feb 2002 15:20:31 -0800
Paul Robertson wrote:
LSAP did have some encouragement/howto docs, but could have done it better. We're trying to do it better.On Tue, 5 Feb 2002, Crispin Cowan wrote:Since then, LSAP has failed to really live up to its mission. While the LSAP mailing list has become a very nice chat room for discussing security issues, not much software is actually audited any more.Might that be because the LSAP hasn't encouraged new auditors- without a "how do I audit code?" section, people who aren't accomplished in whichever language it is won't begin in a place where they could learn and be useful.
That stuff about subsequent audits and scoring is intended to provide for validation.* Repository for audited code: importantly, identifying who has audited the code, and what issues were found.Some sort of independent verification or validation would probably help significantly.
Each candidate program will have links to the package's home page. It shouldn't be very difficult to detect when an audit references a badly dated version. However, there is utility in auditing an older stable version in the face of a newer beta.* the karma whore effect: we conjecture that a web site that will mechanically compute a number of how l33t you are will attract people to audit code. Consider how hard people will work just score karma points on Slashdot :-)How will you ensure that people aren't auditing outdated code for which a fix already exists? What about the kharma whoring "I'll create bad code and you fix it" stuff?
Actually we have an elaborate escrow plan http://archives.neohapsis.com/archives/nfr-wizards/1999_2/0416.html but don't intend to deploy it for a while yet.We also will be encouraging responsible reporting. The audit submission form explicitly asks you if you have followed the RFP http://www.wiretrip.net/rfp/policy.html and notified the package maintainer prior to publishing your findings.Perhaps getting into escrowing the reports would be useful?
Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html The Olympic Games: A Century of Corruption and Graft The FIS: Crushing the soul of snowboarding _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Sardonix Security Auditing Portal Crispin Cowan (Feb 05)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)
- Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 08)
- Re: Sardonix Security Auditing Portal Paul Robertson (Feb 08)
- Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 09)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)