Re: forming a security team for testing
- To: Kim <kim@info.dk>
- Cc: debian-security@lists.debian.org, "\"Matt Zimmerman\"" <mdz@debian.org>, "\"Bdale Garbee\"" <bdale@debian.org>, "\"Chris Halls\"" <halls@debian.org>, "\"Martin Schulze\"" <joey@debian.org>, "\"Andreas Mueller\"" <amu@tr.debian.net>, "\"Petter Reinholdtsen\"" <pere@hungry.com>, "\"Martin Michlmayr\"" <tbm@cyrius.com>, "\"Andreas Barth\"" <aba@not.so.argh.org>, "\"Ernesto Hernandez-Novich\"" <emhn@telcel.net.ve>, "\"Finn-Arne Johansen\"" <faj@bzz.no>, "Djoumé SALVETTI" <salvetti@crans.org>, "\"Steinar H. Gunderson\"" <sesse@debian.org>, "\"Andres Salomon\"" <dilinger@voxel.net>
- Subject: Re: forming a security team for testing
- From: Alvin Oga <aoga@ns.Linux-Consulting.com>
- Date: Wed, 27 Oct 2004 17:17:50 -0700 (PDT)
- Message-id: <[🔎] Pine.LNX.3.96.1041027170935.7076A-100000@Maggie.Linux-Consulting.com>
- In-reply-to: <[🔎] 000701c4bc82$059a5fb0$63e4aad5@workstation1>
hi ya
On Thu, 28 Oct 2004, Kim wrote:
> I am sorry if I have misunderstood anything but "whatever is needed to
> satisfy yourself" Since this is a personal matter isn't there chances that a
> person may miss important issues? I rather surgest a clear program of checks
> that at least must be done in order to avoid problems.
that's the tricky part .... eveybody will want different levels of
security
there should be minimum basic security ( eg required updates )
there should be application based updates ( apache/exim/dns/fw/etc )
there should be kernel patches
there should be tcp wrappers and sshd config
there should be ids and what triggers "wake up now" vs "false alarms"
... on and on ...
we'd probably will need multiple "security checking" programs
harder or simpler issue will be:
- how to test to see the apps is patched or not susceptible to
the latest exploit in that package
- latest/greatest may not necessarily be "more secure"
- another major issue is "patch now" vs patch later after the
project is released and than change to new environment,
changing things in the dmiddle of a development cycle is no fun
- all security testing/qa/release cycles should be "automated"
- we can all run the security scripts on our own machines
and see if it dies or what it finds
- it'd also be nice if the "security checking" can be
distro nuetral
( same files, same apps, same patches, etc )
c ya
alvin
Reply to: