Why not built-in vulnerability checking???
Posted Jul 5, 2007 11:45 UTC (Thu) by jabby
Parent article: Counting vulnerabilities
A huge step forward would be for major project hosting sites (like SourceForge) to include vulnerability scanning. A quick search at freshmeat.net turns up a few FOSS source checkers that could be deployed against the code stored in these repositories (sparse, Audit-Perl). [And there's always the potential for these services to collaborate with the commercial scanning companies (Coverity) and/or DHS.]
The first objection will be that this will show all of those vulnerabilities to every black hat in the world. I shouldn't have to point out that this is something that they could have done themselves with a script. But, to appease this fear, the security scan results could be kept behind password access for project members/owners only.
Beyond that, the hosting service would just need to encourage its use. If scans were not done automatically after every update to the code (conceivably a burden on the hosting service), then there should at least be some sort of effort to force the code maintainers to scan their code before each release. If they elect *not* to scan, then a red flag could be inserted somewhere in the downloads page to notify potential users that this code has not be checked with the hosting service's vulnerability scanning tool.
It's not a perfect solution, but I'd consider it a way to avoid a raft of vulnerabilities now and into the future in one fell swoop.
to post comments)