Mike Small wrote:
So you're left with only black box testing. No static analysis tools, no runtime memory debuggers, no discussing the problem and the general code quality in public forums, no forking the project and trimming the awful 300,000 lines down to something more manageable with the "exploit mitigation countermeasures" removed (
None of these told us about the Heartbleed flaw in OpenSSL. As a matter of fact, it was Codenomicon attacking their own servers that lead to the world-wide revelation. Black box testing worked where open source philosophy utterly, completely, catastrophically failed.
-- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
