> From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Roberto Spadim > Sent: Sunday, 13 April, 2014 13:53 > > The problem isn't new features the problem is how to write tests that should > find security > problems and tests to find bugs
A false dichotomy, as anyone with any significant experience in software development should recognize. Adding features increases the size of the code base and so increases the number of possible bug points; and due to combinatorial explosion, it greatly increases the number of cases to test. As Steve Marquess pointed out, the issue is resources, plain and simple. Yes, in the specific case of Heartbleed, it would have helped to have rejected Robin Seggelmann's Heartbeat patch or review it more thoroughly. But other security issues are far more subtle and difficult to find by testing. In retrospect, the bug in Seggelmann's code is obvious; I looked at the diff for that commit and spotted it in seconds. But this is an area I have experience with and so I'm accustomed to looking for input overruns in untrusted data - it's the sort of thing you have to get used to doing when writing Wireshark dissectors and the like. A similarly serious bug in another area could easily escape me, and the same goes for all code reviewers: we have classes of faults we've been trained to notice, and others we're blind to. Steve's message, and his previous one about the no doubt temporary surge in donations, has prompted me to talk to my management again about an OSF support contract. I think this was raised years ago when we first started including OpenSSL, in a small way, with a couple of products; but paying money when it isn't required is often the sort of thing that falls by the wayside, even when everyone has good intentions. -- Michael Wojcik Technology Specialist, Micro Focus This message has been scanned for malware by Websense. www.websense.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
