On 7/8/2015 3:19 PM, Chuck Anderson wrote:
Sorry, I call BS. My point was that having access to source code is a prerequisite. If you don't have access to the source code, it becomes MUCH harder to audit because you are limited in the techniques you can use, such as black box testing. If you have source code, you can read the code and try to understand what it is doing.
This is why I say you don't have the qualifications. Access to the source code isn't worth nearly as much as you seem to think it is. There are classes of vulnerabilities like insecure compiler optimizations that are impossible to detect by examining the source code even when you do understand what the code is supposed to do. On the other hand, no-source techniques like black box testing work whether or not you have the source. This is why my answer to your next question is...
And do you think we would know about those instances if the code/standards were closed?
... yes, we would. -- Rich P. _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
