16Jul2009 (UTC +8) Hello world,
2009/7/15 Pablo Manalastas <[email protected]>: > For those who are interested in meeting face-to-face this weekend to discuss > issues > connected with source code review and Linux security of election 2010, you > are invited > to join us at > > CenPEG office > 3rd Floor, College of Social Work > Magsaysay Avenue near corner Ylanan > University of the Philippines > Diliman, Q.C. > > 2:00 PM - 4:00 PM > Saturday, July 18, 2009 > > Please email me at [email protected] if you are coming, so we can have a > head count. Thanks. All this talk about source code review is terribly exciting, specially when I fail to see *yet* in all the chatter, any realistic expectations. IMHO, I think time is running out fast. The source code reviewers will need a lot of time to work on this, as well as commitment from the vendor's developers. I'd like to share with you my similar experiences years ago, when I was still with Check Point Software Tech. To enable it to pass Common Criteria EAL4 requirements, a team of less than 5 will have to work with the VPN-1/Firewall-1 developers (300+) and documentation writers, and coordinating with America's NSA, for about *one* year. Source code auditors will *always* find something wrong and unnacceptable, so that's why the problems will have to go back to the vendor's developers for patches, and the cycle goes on... until the list of bugs has been trimmed down to a manageable size with acceptable risks. For this undertaking, it will be COMELEC who will have to ultimately decide on acceptable risks, as they will be the ones held responsible and accountable for our national elections. My colleagues have since then moved to other similar projects, like consulting work for the MS Server 2003, and the Imperva web application firewall, and it's approximately the same time and effort: dealing with millions of LoCs takes about a year. Some projects did take much shorter, because just in the analysis stage some applications are so badly designed it had to be taken back to its first stage of the SDLC. And then there are the assurance level requirements. Nobody has said yet what are the reasonable efforts required to achieve the objective which is to prove that the IT systems in question will work as it should --no more, no less. I do however, see a lot of so-called "solutions": technical answers to risks and problems that unfortunately have not been defined and documented, much less systematically analyzed. The efforts required must be *balanced* between cost (time, effort, and other resources) versus the required trustworthiness of the IT systems. Hope this helps, my fellow Filipinos. Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
