Code review/audit and/or version control

[George Capehart <capegeo () opengroup org>]

The comments below were taken from an out-of-band exchange with the
moderator after he rejected a comment I made early in the thread on FWTK
and smap.  The conversation took an interesting twist, and when Paul
said:

> "I agree, and again- I'd *happily* approve a longer posting.  I think the 
> issues are important, and while it's a little off-topic, I don't think 
> it's horribly so."

I thought I'd take him at his word.  ;-)

The topic got around to the problems of managing code integrity, code
reviews, version control, etc. through the complete life cycle of a
system.  It touched on reintroducing buggy code into the production
branch, even knowingly . . . "re-auditing" code, etc.  I have included a
section of the last message below.  Using that as the basis for
discussion, I'll take the straw position that code that has been
"audited out" of a distribution because of quality or security reasons
should not be allowed back in.

<  -----  Begin excerpt  -----  >
> Wow!  That's interesting.  On a Y2K project, I ran into some code that
> had been around so long that no one knew where the source was, but I
> don't think it was that old . . . Incredible.  I'm sure that the reason
> the DBMS was still in use is that it was a robust product.  In the case
> of the Y2K project, no one was willing to take it out of the job stream
> 'cause no one knew what it did . . .  ~<8-}

That's typically how it goes!  Back when I could make patches by looking 
at object code, my threshold for mucking with things was way different 
than it is now ;)

> Well, I don't know about that particular environment, so I can't say. 
> However, for the system I described above, the *absence* of
> source/version
> control made even code review impossible . . . excepting, of course the
> disassembled object.  It's been a *looooong* time since I've written
> assembler for any architecture, much less the System 3xx . . .  ;-)

Thank goodness the DBMS job was the last time I did that, after 4.5
years 
of mostly assembler development, I think I was as happy to leave it as I 
was when I started it to get the job.  I haven't touched PL/1 since 92, 
and 3x0 assembler since about 93.

> For me it is not a zero-sum game between code review and version
> control.  I'm afraid that I might have given that impression.  I do
> understand the need for resurrecting old code.  However, I do not
> understand the need to resurrect code that has known memory leaks, bad

Better the leaks you know than the ones you don't?  It's not a *good* 
reason, but I've seen it done before.

> There is another reason that code review is important to me.  When a
> system is initially designed and constructed, the requirements, design
> and implementation decisions are based on assumptions about the chain of
> trust and controls that are going to be in place when the system is put
> into production.  Over time, as systems evolve and vulnerability
> profiles change, those assumptions can become invalid.  This means that

That's a very important issue which is overlooked way too frequently for 
my tastes.  It's one of the reaons I preferred to have a good ongoing 
relationship with my vendors- so I could say "Hey, I'm looking at doing 
foo, is that going to change this assumption?"

> systems that were "secure" when implemented are not any longer.  So, for
> me, whenever a system is modified, one should do a review of the
> potentially vulnerable parts of the legacy code.  So, I'm definitely not
> saying that code reviews are not important.  What I should have more
> careful in saying (and admit that this *is* a matter of religion) is
> that it is my personal opinion that code that has been audited and
> rejected because of poor quality or because it contains known
> vulnerabilities should never be allowed back into the production branch.
> ;-)
<  -----   End excerpt   -----   >

George Capehart
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards