User: Password:
Subscribe / Log in / New account

Why not built-in vulnerability checking???

Why not built-in vulnerability checking???

Posted Jul 5, 2007 11:45 UTC (Thu) by jabby (guest, #2648)
Parent article: Counting vulnerabilities

A huge step forward would be for major project hosting sites (like SourceForge) to include vulnerability scanning. A quick search at turns up a few FOSS source checkers that could be deployed against the code stored in these repositories (sparse, Audit-Perl). [And there's always the potential for these services to collaborate with the commercial scanning companies (Coverity) and/or DHS.]

The first objection will be that this will show all of those vulnerabilities to every black hat in the world. I shouldn't have to point out that this is something that they could have done themselves with a script. But, to appease this fear, the security scan results could be kept behind password access for project members/owners only.

Beyond that, the hosting service would just need to encourage its use. If scans were not done automatically after every update to the code (conceivably a burden on the hosting service), then there should at least be some sort of effort to force the code maintainers to scan their code before each release. If they elect *not* to scan, then a red flag could be inserted somewhere in the downloads page to notify potential users that this code has not be checked with the hosting service's vulnerability scanning tool.

It's not a perfect solution, but I'd consider it a way to avoid a raft of vulnerabilities now and into the future in one fell swoop.


(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds