Re: time for some OpenBSD-style auditing?
On Fri, Dec 29, 2000 at 12:39:40AM -0600, Nathan E Norman wrote:
> > Actually let me chime in at this point and say that personally I'd
> > probably prefer non-developers auditing. If you adopt code as an auditor,
> > you lose the objectivity to be able to junk bad code relatively
> > quickly... Auditors should have as little to do with a piece of code
> > they're auditing as possible: preferably not even use it. This way they
> > don't fall "in love" with the code and do what's necessary for security...
> This is the way to go. For this to actually work someone will
> probably have to form a "team" of decent auditors to start digging and
> file bugs as they find them ... I know I'm not qualified :)
Since "auditing" is not a very well defined term all the time, it
might be even better to form many small, tightly focused teams of auditors.
Each team would only focus on looking for one type of security hole. i've not
done much auditing myself, other than writing wrappers for school project
members who were too lazy to check the length or even existence of their
strings before they passed them to C str*() functions, but i've always been
interested in auditing, and even attempted studying OpenBSD patches for a
while to see how they did it.
As a sort of side note, maybe we should require every auditor to have
read (and understand, via some test) the Secure Programming HOWTO?