[sf-lug] Prince Ciao & Master Sun

jim stockford jim at well.com
Mon Jul 23 08:03:51 PDT 2007


thank you hugely for the specifics.

On Jul 22, 2007, at 10:42 PM, Rick Moen wrote:

> Quoting jim stockford (jim at well.com):
>
>>     i'd love to know how to evaluate software with
>> respect to security features. is there a well-known
>> suite of tests that detects crappy software?
>
> Wetware[1] is the best tool *I* know of.
>
> This manual gives an excellent overview of what to test, but not how to
> do it:  http://www.isecom.org/osstmm/
>
> There are lots of code checkers of various sorts.  One is the thing
> called "Purify", which is said to be pretty useful.  There's also
> Coverity's code-checkers.  The Debian Security Team has a list of 
> useful
> open-source checkers here:  http://www.debian.org/security/audit/tools
>
> But, if you're really serious about this, read David Wheeler's HOWTO:
> http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/
>
>> one approach to security is to have sensitive data on a machine that's
>> not connected to any network;
>
> True.  My friend Richard Couture had as a consulting client a medical
> clinic that did a considerable amount of work with AIDS patients.  They
> wanted him to connect all their machines, including those with 
> sensitive
> patient data, to broadband Internet.  He kept trying to explain why 
> this
> was a bad idea; they kept pushing back.
>
> He finally found a way to make the point:  "What would be the amount of
> your loss, if large amounts of your patient data were to suddenly show
> up on the open Internet?"  They blanched:  "Incalculable."  "Ah, well,
> OK, what probability of an incalculable loss do you consider to be a
> justifiable risk?"
>
> In the end, the machines with sensitive data ended up being air-gapped
> from the less-sensitive machines he connected up to network access.
>
> [1] I.e., your brain.
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
>





More information about the sf-lug mailing list