[sf-lug] Prince Ciao & Master Sun
jim at well.com
Mon Jul 23 08:03:51 PDT 2007
thank you hugely for the specifics.
On Jul 22, 2007, at 10:42 PM, Rick Moen wrote:
> Quoting jim stockford (jim at well.com):
>> i'd love to know how to evaluate software with
>> respect to security features. is there a well-known
>> suite of tests that detects crappy software?
> Wetware is the best tool *I* know of.
> This manual gives an excellent overview of what to test, but not how to
> do it: http://www.isecom.org/osstmm/
> There are lots of code checkers of various sorts. One is the thing
> called "Purify", which is said to be pretty useful. There's also
> Coverity's code-checkers. The Debian Security Team has a list of
> open-source checkers here: http://www.debian.org/security/audit/tools
> But, if you're really serious about this, read David Wheeler's HOWTO:
>> one approach to security is to have sensitive data on a machine that's
>> not connected to any network;
> True. My friend Richard Couture had as a consulting client a medical
> clinic that did a considerable amount of work with AIDS patients. They
> wanted him to connect all their machines, including those with
> patient data, to broadband Internet. He kept trying to explain why
> was a bad idea; they kept pushing back.
> He finally found a way to make the point: "What would be the amount of
> your loss, if large amounts of your patient data were to suddenly show
> up on the open Internet?" They blanched: "Incalculable." "Ah, well,
> OK, what probability of an incalculable loss do you consider to be a
> justifiable risk?"
> In the end, the machines with sensitive data ended up being air-gapped
> from the less-sensitive machines he connected up to network access.
>  I.e., your brain.
> sf-lug mailing list
> sf-lug at linuxmafia.com
More information about the sf-lug