Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Trusting software
Jason Miller, 2005-12-07

Open-source or closed-source, it's the same issue. Using other people's software has a lot to do with trust. If you don't trust the right people, you're putting yourself at risk.

Comments Mode:
Trusting software 2005-12-07
Ray Kaplan (2 replies)
Evaluating trust is hardly a subjective process. For this decision, you must rely on proof. Such proof is not only very hard and expensive to establish, but it is clearly absent in the overwhelming majority of all of the hardware and software in our fragile infrastructures.

You need proof that a...

[ more ]  [ reply ]
Re: Trusting software 2005-12-19
Anonymous
Yes, I remember something about high-level certificates which contains proof that certified hardware or software is safe. I think one or two HW routers have it. I'm sure no operation system and no personal computer come close. So, you can wait for your proofs and use pen & paper in meantime. I prefe...

[ more ]  [ reply ]
Re: Trusting software 2005-12-19
hkmaly
Note in previous post I forgot to mention reason why no personal computer or operating system has been formally proven: because it's so damn hard. You must translate every line of code to logical predicate and then solve them. Ideally by hand, because you have no software you can trust for that task...

[ more ]  [ reply ]
Trusting software 2005-12-08
Don Parker
Microsoft's IE is a perfect example of poor s/w. This program is years old, but yet still yields many vulnerabilities yearly. Legacy code or not, this program should of been bugged out by now. Yes it is a large program, but nonetheless it has been around for some time now, and is still but ridden. F...

[ more ]  [ reply ]
Trusting software - what goes around comes around 2005-12-08
Steve Lodin (1 replies)
Back in the mid 90's when I discovered the Kerberos RNG vulnerability, the discussion centered around trust and spaghetti code. I would add besides trust in people, trust in the software design and development practices of the organization responsible for code delivery.

https://www.cerias.purdue...

[ more ]  [ reply ]
One side effect of source availability 2005-12-08
jesse (1 replies)
One side effect of source availability is that the author will tend to be more carefull.

I know my coding has improved since public exposure has ment that I have to explain unclear code (over and over and ...).

That now means that I make the code clearer the first time, and make better comment...

[ more ]  [ reply ]
Re: One side effect of source availability 2005-12-09
Anonymous
Absolutely true. Though I recently found in QA testing a logic error in a finite state machine that had been peer reviewed but strong team. So things still will get through. But its the first bug I found in peer reviewed sectionso f code in well over a year. so not too shabby. ...

[ more ]  [ reply ]
Trusting software 2005-12-09
Tim Hudson
I've posted my response to your article here:
http://www.rsasecurity.com/blog/

Another great resource can be found here:
http://www.softwaremag.com/L.cfm?Doc=2004-09/2004-09software
-security-testing

Tim.
...

[ more ]  [ reply ]
Trusting software 2005-12-15
Howard Israel
Excellent article on the overall issue of trust and mis-placed trust. This is really one of those FUNDAMENTALS that seems to be forgotten about, and is more or less assumed by all of us security people without a whole lot of thought.

I see no real solution to it, because lets face it we all must...

[ more ]  [ reply ]




 

Privacy Statement
Copyright 2009, SecurityFocus