On Tue, Nov 14, 2000 at 03:35:35PM -0500, Paul Jarc wrote:
> [EMAIL PROTECTED] writes:
> > Whilst an audit is a good idea, I don't see how a competition and
> > time in the field can actual make matters worse.
>
> It can make people think a program is secure when no audit has been
> done, reducing the likelihood that anyone will call for an audit,
> leaving holes undiscovered.
Conversely, maybe an audit reduces the likelihood that anyone will bother
to scuitinize the source, leaving holes undiscovered...
All we're doing is speculating about which source of a "false sense of
security" is worse. Both have serious weaknesses.
Ideally of course we have lots of points of reference to give us confidence - a
formal audit, public scrutiny, large field usage, etc. I don't think that any one
is enough. On that basis, the more boxes you tick off, the closer you get to
feeling comfortable.
Regards.
