LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Needed: code auditors

Needed: code auditors

Posted Feb 5, 2004 19:12 UTC (Thu) by iabervon (subscriber, #722)
Parent article: Needed: code auditors

I'm a bit mystified about using the stream of vulnerability reports as
evidence that auditing is not happening; the majority of vulnerability
reports are the result of auditing which found something. The stream of
vulnerability reports, in fact, demonstrates that auditing is an ongoing
process that turns up issues gradually over time, rather than an event
which finds all of the problems when it happens.

I'm not personally convinced that something like Sardonix is actually
helpful. It might be useful, however, to have software that tracks what
you've found clean, what you've patched, and the notes you've made on why
things work or don't work; it would then compare new versions against the
version you've looked at and look for patches which modify regions you've
looked at, so that you can check whether things are better or worse.
Communicating this information to other people is not necessarily useful,
however, since they may or may not trust your analysis.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds