lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <446632A3.5060109@e2open.com>
Date: Sat, 13 May 2006 12:25:23 -0700
From: Mike Hoskins <mhoskins@...pen.com>
To: David Litchfield <davidl@...software.com>
Cc: "Ferguson, Justin \(IARC\)" <FergusonJ@...doe.gov>,
	ntbugtraq@...tserv.ntbugtraq.com, 'Adam Shostack' <adam@...eport.org>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	dbsec@...elists.org
Subject: Re: How secure is software X?


David Litchfield wrote:
> Hi Justin,
>> One thing you have to keep in mind is that a lot of things are incredibly
>> variable when dealing with this subject.
[...]
> There are a few things to remember:
[...]

one thing i also believe is that while there will always be a lot of 
variables, there is still value in writing down a standard.  so i guess 
i agree with "both sides" of this discussion.

if something is not in the standard and is deemed valuable, it can be 
amended.  (i think it's obvious such a standard would be a living 
document, like owasp, etc.)  in the meantime, you can still say 
"software X complies with the standard" or "software Y does not comply 
with the standard".  this at least gives you a subjective way (if the 
standard is well written) to compare and contrast products in terms of 
security.

the effort would form an "application security rfc" of sorts -- a given 
product either complies, or it does not.  compliance says something 
about the product's security, but does not say it is "unbreakable". 
just like rfcs, some people will prefer compliant products while others 
won't likely care.  having such a standard would be useful to some of 
us, and the rest shouldn't be any worse off.

i sincerely hope that such a standard will not only come to exist, but 
that it will also be centrally coordinated so as to maximize community 
benefit.  it's much easier to walk through 'the one true standard' than 
it is to compare and contrast a handful of standards.

of course such a standard would have many focus areas, contributors, 
etc.  it's just more valuable if a given standard gets buy-in and 
support rather than software X saying they comply with standard foo 
while software Y touts they comply with standard bar.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ