Reasoning Releases Results of a Software Code Audit of the Apache Web Server
Posted Jul 2, 2003 4:51 UTC (Wed) by piman
Parent article: Reasoning Releases Results of a Software Code Audit of the Apache Web Server
This also depends on how you define a "defect." Certain things, like a buffer overflow or a race condition, definitely are. But if Microsoft was auditing Outlook, the ability to run scripts automatically, or load images or links from remote servers, isn't a defect. If (say) OpenBSD was to do the audit, it definitely would be.
I don't know if the "proprietary equivalents" for webservers contain similar problems, but proprietary software seems to differentiate between "design flaws" and "defects" (the former never being fixed), where I find free software usually treats serious design flaws as bugs like any other.
Since Reason's methods seem to be automated, it's likely that they don't pick up these sort of problems. This isn't a jab at Reason, who seem to be doing interesting stuff (in research and in practice), but just a reflection on their results.
to post comments)