On Thu, 5 Dec 1996, Jeromie Jackson wrote:
> In reguards to your opinion of the code being more secure because of the
> widely publicized source code, I would definitely have to DISAGREE with you.
I said no such thing, I stated that it was better to have access to source
than not to have access to source. And that there was no gaurentee the
vendor is writing secure code.
> Just because the code is made public does not make it more secure whatsoever.
> Now if you would have said that the code be made public so that a formal
> testing methodology be implemented upon it.
I believe the last line of my message read:
"This software simply needs to be reviewed on a regular basis"
And I was not referring to performance tuning........
> code to the public may give random people a chance of finding a security
> problem I would agree. However, providing code to the public does not
> provide assurance
It provides *more* assurance than letting the vendors offer up binaries
with no outside body to review the source. Ask yourself how many bugs
come to light from end users flipping through source code, as compared to
how many bugs the vendors release information on and patch. You will find
that bugs are most commonly found by the end user, who in *many* cases is
reading the code and posting the bug to a forum where the vendor cannot
ignore it (ie: bugtraq etc).
*******************************************************************************
Alfred Huger ahuger @
secnet .
com
Secure Networks Inc. 403.262.9211
*******************************************************************************
References:
|
|
