Ken Foskey wrote:
On Mon, 2004-09-20 at 23:56, O Plameras wrote:
Common sense will tell us that Open Source is rigorously audited by its nature. And it is a simple process to catch security breaches even by using simple
tools like "diff", etc.
What are you auditing for? - Breach of copyright - potential security holes that can be exploited (aka black hats) - potential bugs that can damage your use of software - ???
diff is somewhat useful for the first but not the other two.
When one has an audited code that is deemed secure, a diff is created against the newer code.
Then, the results are examined for changes. These changes are then
analysed manually, if practical ,so avoiding at looking at the entire codes again.
Even more required because users do not bother check their software. It is notThere are automated tools that can help with the second. Note help is an operative word here. It takes diligence for the second, how many applications have you carefully reviewed before using it. I certainly have not.
assumed all softwares are to be audited; only the critical ones.
By auditing means manual (or visual) and automated processes.
This is where the auditors will come in with their swags of tools. The auditors
are different groups of people from the coders and developers applying their tools.
Of course the auditors may not be able to identity all security breaches depending
on their tools, their abilities, and time available but they become part of the review
process that makes certain softwares more secure when an organization
The third takes pure diligence and testing.
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
