Re: How secure is software X?

[Blue Boar <BlueBoar () thievco com>]

So pin it down a bit more for me.

Do you want just public results of standardized blackbox testing? 
Something similar to the ICSA firewall certification?  (Though, I assume 
you want actual public results.)

Would you include source review?  The Sardonix project tried to do that.

Who does the testing, and who pays for the time and equipment to do 
that?  Do all products get re-tested every time a new version of the 
product suite is released?  Do the test suites have to be free?  Do they 
re-test for every release of the victim software?

Don't people like yourself derive some benefit from having some portion 
of your assessment work stay proprietary?  If I'm trying to enhance the 
test suite with some new fuzzing, and I find a sexy bug, don't the 
incentives tend to lean towards me selling the bug to iDefense and 
hiding my fuzzer in the meantime?

Don't we fairly quickly arrive at all products passing all the standard 
tests, and "passing" no longer means anything?

I like the idea, but I'm wondering why people would contribute.  I'm 
also wondering how it can it stay consumer-beneficial, and not end up 
being driven by product vendors.

                                                BB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/