oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Thoughts on Shellshock and beyond

From: Loganaden Velvindron <loganaden () gmail com>
Date: Tue, 7 Oct 2014 13:31:09 +0400
On Tue, Oct 7, 2014 at 1:11 PM, Hanno Böck <hanno () hboeck de> wrote:

Hi,

Yesterday I wrote down some thoughts on Shellshock, Heartbleed and the
whole issue of free software security:
https://blog.hboeck.de/archives/857-How-to-stop-Bleeding-Hearts-and-Shocking-Shells.html

Basically my key point is: These events caused interest in the sec
community and people had a look - and found further issues.

My question would be: Can we get that attention somehow *before* an
event like shellshock happens? We probably all could name products that
could have sec bugs with similar severity.

I outlined a vague idea: Would it work if we'd say we make a "sec
people, please have a look at software XY"-day? Would people do that?

Heartbleed and Shellshock give me the feeling that there probably are,
right now, security bugs with simliar severity active on our systems.
Let's have a discussion how we can find them.



OpenBSD has been pretty successful at building a secure Operating
System. I think that their approach works pretty well. By looking at
what they are doing, this might give insight on how to increase
interest in doing code audits in other Open Source projects.




cu,
--
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42




-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
Previous By Date Next
Previous By Thread Next

Current thread: