delurk in progress, please wait ...
>From: amolitor @
com (Andrew Molitor)
>Date: Thu, 27 Apr 95 20:06:29 CDT
> Here's a simple quick question, the answer to which will vary
>from person to person. Why do you want the source for your security tools?
> Do you actually have time to do a proper inspection of the code?
I always 'glance at' the code. Sometimes I pour over the code. Depends on
the tool, my interest in how something like that works, and most
importantly, how significant it is in the/my security scheme.
>Is it because documentation is always terrible, and if you have the source, you
>can at least fall back on it?
This is certainly one major reason. Especially when it comes to problems in
the 'wierd interactions' category.
>Is it so you can tinker with it?
A better term is 'bug fix'. I don't like being naked and all alone for six
weeks while a vendor 'works on the problem'. If I have source to a broken
critical app, I start the bug fix immediately regardless of vendor promises.
If the vendor gets there first, good, if I get there first, I'm covered
while the vendor gets his/her sh*t together.
>Some other reason?
Yes, a big one. I don't have time to read everything (surprise, surprise),
no one does. If I read the pieces I think are important and everyone else
reads the pieces they thing are important, usually everything gets covered.
If it is a popular tool and nobody is b*tching about it, it has passed 'peer
review' and I can be less concerned (reading a smaller piece, but still
reading). This saves time for the more obscure bits and pieces of the
security veil :).
> It's become axiomatic that you must have the source, just like
>it's axiomatic that gcc is pretty much the best compiler out there, and
>the client-server model is really the right way to do most anything. Just
>because it's axiomatic doesn't make it false, but I'd like to understand
>why it's true.
In a perfect world where I was given unlimited time to spend on security
issues, I'd read everything. In the real world where I wear about seven
'hats' everyday, I've learned to settle for the possible instead of the
perfect. Using source only tools that have been or are being used by the
'security experts' and other part-timers like me, give me a 'leg up'.
Security is more or less my 'third job' here (as it is for most people in
small companies). IMO, using source level tools that have been reviewed by
the 'security community' is almost like having an extra employee to CYA
BEFORE THE SHIP STARTS TO SINK. I REALLY don't like going to the boss and
saying 'the vendor says he's working on it and we'll have the fix REAL SOON
NOW'. I much prefer to say the vendor is working on it and in the mean time
I have a patch that will cover us for now.
Slow fade to black ...
Dana Nowell Work: DanaNowell @
Cornerstone Software Inc. Home: dnowell @
I don't even believe myself, why should you! (Standard disclaimer in force).