Re: DHS Open Source Hardening Project

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 20, 2008 at 9:31 AM, McGuffey, David C.
<DAVID.C.MCGUFFEY@xxxxxxxx> wrote:
>
> On Mon, 19 May 2008 20:15:15 -0700 Les H wrote:
>>
>> On Mon, 2008-05-19 at 14:13 -0400, McGuffey, David C. wrote:
>> > I understand that DHS is funding an effort to use commercial tools
> to
>> > find bugs in open source software.  I guess the official name is
>> > Vulnerability Discovery and Remediation, Open Source Hardening
> Project,
>> > but the common handle seems to be simply Open Source Hardening
> Project.
>> >
>> > There was an interesting article at ZDnet...some pros and some cons:
>> > http://news.zdnet.com/2100-1009_22-6025579.html
>> >
>> > Question...is the Fedora development community benefiting from this
>> > effort?
>> >
>> > Dave McGuffey
>>
>> Did you look at the date of the article?
>>
>> Regards,
>> Les H
>>
> Yes, but it was mentioned at the 8th Software Assurance Forum two weeks
> ago in and among several presentations concerning open software
> security. So...apparently the program is still going on.
>
> There were other presentations about automated tools that scan through
> both source and compiled binaries looking for actual or potential
> vulnerabilities.  In some cases the code is so complex, that the tools
> can only flag a block of code for further human review.  Seems that a
> lot of effort is going into automated tools, because a significant
> percentage of the attendees at the SWaF seems to believe that the
> universities are doing a poor job of training software engineers, and
> the "cost schedule" mantra of software development managers runs counter
> to security.

Do you have any good links or information for programmers looking to
tighten up code in regards to security? I have seen some things
scattered about but I was hoping to find some central repository of
info(if such exists) that points out the common flaws and how to fix
them or even better how to avoid them. I don't think anyone is trying
to leaving gaping security holes in their software but its obviously
happening anyway. I have seen among some of the redhat stuff, I have
read, pointers that show common errors but I am looking for something
like a book(i don't mind paying for solid information) that teaches
how to program securely, maybe something that explains how to avoid
the common errors starting in the planning phase. I know such a book
would not be easy to produce but it would be worth paying for if it
can help people code more securely. A well written book on programming
should take these things into consideration but there are many books,
some obviously better written than others but unless you already have
the expertise it is going to be hard to tell the difference. I google
for it and i get alot of hits but these pages are ranked on
popularity, in part anyway, and there is no guarantee that the info is
up to date or even accurate. I wouldn't mind seeing my tax dollars
spent on something useful like a knowledge base where programmers can
turn for good advice on best practices and such.The world gets more
dependent on software everyday, we need better quality control. BTW i
am not suggesting such a thing would be easy but the things worth
doing rarely are...


Max

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux