At 06:20 PM 23/02/97 -0500, Russ wrote
>I have to believe that Mr. Fir E. Walls must have been trolling for a
>fight when he started this thread.
The evidence supports your assertion.
>Your question focused on how commercial firewall vendors are doing
>bounds checking, and in particular, you said "Firewall software should,
>in my opinion, be checked and certified by the vendor to not have the
>possibility of smashing the stack. This is not expensive and does will
>not ad significantly to the product."
>
>Last time I checked, self-review of your own code did not qualify as
>certification of anything. Independent review, on the other hand, did.
While I agree with much that you go on to say, I have to ask you at this
point,
Becuase self review does no qualify as certification, does this mean that
you shouldn't do it?
I think not, and I don't think that what you meant. The vendors should
have both the original team do a review looking out for such blunders, as well
as having their own tiger teams checking as part of their QA process.
I think what Karen was getting at was that all too many don't even practice
this fundamental level of checking.
To Karen I say....
The evidence supports your assertion
OBTW: Thanks for letting me quote you, K
/anton
--------------------------------------------------------------------------
Anton J Aylward | Security is not something that comes in
The Strahn & Strachan Group Inc | a self-contained box. It is an attribute
Information Security Consultants | of how you do business and as such
Voice: (416) 494-8661 | needs to be managed carefully.
Fax: (416) 494-8803 | - Karen Goertzel, Wang Federal Inc.
|
|
