lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4463FEFE.1090500@thievco.com>
Date: Fri May 12 04:20:41 2006
From: BlueBoar at thievco.com (Blue Boar)
Subject: How secure is software X?

So pin it down a bit more for me.

Do you want just public results of standardized blackbox testing? 
Something similar to the ICSA firewall certification?  (Though, I assume 
you want actual public results.)

Would you include source review?  The Sardonix project tried to do that.

Who does the testing, and who pays for the time and equipment to do 
that?  Do all products get re-tested every time a new version of the 
product suite is released?  Do the test suites have to be free?  Do they 
re-test for every release of the victim software?

Don't people like yourself derive some benefit from having some portion 
of your assessment work stay proprietary?  If I'm trying to enhance the 
test suite with some new fuzzing, and I find a sexy bug, don't the 
incentives tend to lean towards me selling the bug to iDefense and 
hiding my fuzzer in the meantime?

Don't we fairly quickly arrive at all products passing all the standard 
tests, and "passing" no longer means anything?

I like the idea, but I'm wondering why people would contribute.  I'm 
also wondering how it can it stay consumer-beneficial, and not end up 
being driven by product vendors.

						BB

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ