On Tue, 20 May 2008 02:28:27 -0500 Bruno Wolff III wrote: > > On Mon, May 19, 2008 at 14:13:05 -0400, > "McGuffey, David C." <DAVID.C.MCGUFFEY@xxxxxxxx> wrote: > > I understand that DHS is funding an effort to use commercial tools to > > find bugs in open source software. I guess the official name is > > Vulnerability Discovery and Remediation, Open Source Hardening Project, > > but the common handle seems to be simply Open Source Hardening Project. > > > > There was an interesting article at ZDnet...some pros and some cons: > > http://news.zdnet.com/2100-1009_22-6025579.html > > > > Question...is the Fedora development community benefiting from this > > effort? > > I wouldn't expect there to be direct visibility to Fedora as that kind > of work is going to be upstream of Fedora. I am aware of Coverity > providing > information (though I am not sure if it was funded by DHS, it may have > been part of their marketing strategy) for some projects that have code > in Fedora (e.g. Postgres). > Thank you. I attended the 8th Software Assurance Forum a couple of weeks back and there were several presentations and a lot of discussion about applying automated tools to both source code and compiled binaries in an effort to reduce the vulnerabilities of software. Open source software was a hot topic. Many lauded it, and some (mostly from the big commercial vendors) trashed it. Most attendees seemed to agree that the universities are failing us by not teaching software security concepts at the undergraduate level. Many also agreed that being CMMI level 3/4/5 and having great software development environments were not a silver bullet to the problem. So...in light of those two big glaring problems/failures, automation is being attempted on a number of fronts, with the DHS program apparently being only one. Since I'm actively using Fedora at home and in an office lab, I was very interested in whether the DHS (or any) tool development program was providing a benefit to the open source community, and the security of the resultant products. Dave McGuffey Principal Information System Security Engineer // NSA-IEM, NSA-IAM SAIC, IISBU, Columbia, MD -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
