Advertisement
Your IT equipment is safe and secure with us. We are everything you should expect in a data center, and more.
| |||||||||||
Look at OpenBSDLook at OpenBSDPosted Feb 5, 2004 16:25 UTC (Thu) by ncm (subscriber, #165)In reply to: Look at OpenBSD by slowjoe Parent article: Needed: code auditors They very deliberately refuse to classify bugs according to whether they affect security. That is one of their better insights, because any bug may be a security hole, and it is very difficult, in general, to distinguish. Put another way, any such classification will have a very large fraction of erroneous assignments. That's not to say they couldn't classify bugs along other axes. However, taking all bugs seriously, and minimizing the overhead involved in reporting and fixing them, are key enablers of their practice. Demanding classifications and other statistically useful overhead might backfire.
(Log in to post comments)
Look at OpenBSD Posted Feb 5, 2004 17:30 UTC (Thu) by thoffman (subscriber, #3063) [Link] It should be possible (and educational) to figure out how they do it just by looking at how their CVS tree has evolved over time.And reading their mailing lists, of course. But even if they discuss security issues on closed lists, the code is open and someone who took the time could look at all the patches they make, classify them into bug fixes and features, and then look at all the bug fixes and start creating a "taxonomy" of bug fixes. A well documented collection like that would be a very useful tool to teach other developers to audit code. Maybe some university prof out there will have her students put together documentation like that, and then audit some Linux code for the same sorts of problems?
Look at OpenBSD Posted Feb 6, 2004 8:13 UTC (Fri) by Cato (subscriber, #7643) [Link] I was talking about the culture of security auditing, not how they classify bugs etc - reproducing this will mean talking to people not just looking at CVS and email logs.
|
|||||||||||