On Tue, 2008-05-20 at 09:58 -0400, McGuffey, David C. wrote: > On Tue, 20 May 2008 02:28:27 -0500 Bruno Wolff III wrote: > > > > On Mon, May 19, 2008 at 14:13:05 -0400, > > "McGuffey, David C." <DAVID.C.MCGUFFEY@xxxxxxxx> wrote: > > > I understand that DHS is funding an effort to use commercial tools > to > > > find bugs in open source software. I guess the official name is > > > Vulnerability Discovery and Remediation, Open Source Hardening > Project, > > > but the common handle seems to be simply Open Source Hardening > Project. > > > > > > There was an interesting article at ZDnet...some pros and some cons: > > > http://news.zdnet.com/2100-1009_22-6025579.html > > > > > > Question...is the Fedora development community benefiting from this > > > effort? > > > > I wouldn't expect there to be direct visibility to Fedora as that kind > > of work is going to be upstream of Fedora. I am aware of Coverity > > providing > > information (though I am not sure if it was funded by DHS, it may have > > been part of their marketing strategy) for some projects that have > code > > in Fedora (e.g. Postgres). > > > Thank you. > > I attended the 8th Software Assurance Forum a couple of weeks back and > there were several presentations and a lot of discussion about applying > automated tools to both source code and compiled binaries in an effort > to reduce the vulnerabilities of software. Open source software was a > hot topic. Many lauded it, and some (mostly from the big commercial > vendors) trashed it. > > Most attendees seemed to agree that the universities are failing us by > not teaching software security concepts at the undergraduate level. Many > also agreed that being CMMI level 3/4/5 and having great software > development environments were not a silver bullet to the problem. > > So...in light of those two big glaring problems/failures, automation is > being attempted on a number of fronts, with the DHS program apparently > being only one. > > Since I'm actively using Fedora at home and in an office lab, I was very > interested in whether the DHS (or any) tool development program was > providing a benefit to the open source community, and the security of > the resultant products. > > Dave McGuffey > Principal Information System Security Engineer // NSA-IEM, NSA-IAM > SAIC, IISBU, Columbia, MD > > The developers may know if they have used some aspect of this or not, depending on the deployment. My personal experience with programming is that little is taught of the nuances of good programming, from structure design, to code linkage, or even "best practices" (depending on your view point). Moreover documentation seems left entirely out of the curriculum for engineering of all kinds, so the resultant products are not able to be used effectively without considerable research on the product, and lots and lots of trial and error. Generically this is bad, but when applied to security issues, and the relevant code structure required as well as the means to access systems, it is a potential disaster especially since the exploit may not exist for the gap left behind. I do endorse software tools for diagnosis, but I know from experience that some forms of tool generation while effective in approach are not used in application due to overhead and time constraints. Where would you recommend people go to find the best practices as you know them, or as proposed by the panels. Also there is a false belief that not exposing people to the errors is some form of protection. That is Microsoft's approach, and it leaves the general public in the dark about just how much exposure they have, but worse, since the bad guys are bad guys, the restrictions against reverse engineering mean nothing to them, leaving the condition that only the bad guys really know the flaws and cracks in the system. Just my two cents worth. Regards, Les H -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
