Adam McKenna <[EMAIL PROTECTED]> writes:
> On Tue, Nov 14, 2000 at 03:35:35PM -0500, Paul Jarc wrote:
> > [EMAIL PROTECTED] writes:
> > > Whilst an audit is a good idea, I don't see how a competition and
> > > time in the field can actual make matters worse.
> >
> > It can make people think a program is secure when no audit has been
> > done, reducing the likelihood that anyone will call for an audit,
> > leaving holes undiscovered.
>
> And a formal audit can miss security holes, reducing the likelihood
> that anyone will call for further audits, leaving holes undiscovered
> -- it's a double-edged sword. Auditing is an ongoing process, not
> something which takes place at one point in time and unilaterally
> declares something "secure".
None of this conflicts with what I said above, though. An audit is
more likely to find holes than is casual scrutiny in the field. An
audit is likely to be better than no audit.
paul
