Mike Small wrote:
vs. proprietary software in general. I question your response that seemed to be saying black box testing is everything since whitebox testing, code scanning and auditing are also obviously useful, but mostly because I don't see how it protects you from purposeful
Auditing won't find problems like Heartbleed if the auditors don't understand what they're looking at. Automated code scanning won't trip over correctly written stupidity. White box testing like this will only tell you that the syntax is correct, that the code generates deterministic results for known input. White box testing gets you results like that scene in "Jurassic Park" where the programmer removes the count limiter from the dinosaur population counter and the numbers skyrocket.
evasion. It's very easy to write code whose output looks fine 999 out of 1000 runs. If an insider leaks this fact to the press, what do you get from a company except a denial? If you don't have the source in question how do you get past he said she said?
By demonstrating that failure with a proof of concept. You don't need source code for that, just a working exploit to show to the vendor's security team and then the world at large if the security team fails to address the issue in a timely manner.
With cloud maybe there's a further question: how do you validate that the server's running the code they say they are? But I was thinking more in general. (I don't use cloud services much myself.)
By identifying deterministic results. -- Rich P. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
