On Tue, Nov 14, 2000 at 01:20:32PM -0600, Mate Wierdl wrote:
> I am reading this book by B. Schneier, in particular, the section
> `Cracking and hacking contests'. He thinks that contests (like
> offering $1000 for finding a security hole in a product) are bad for
> four main reasons, the first reason being that the contests are
> usually unfair since the author of the software decides what he/she
> considers a "hole".
>
> He also thinks that even having a software out and used for a few
> years without incidence does not imply that it is secure. He says,
> the best way to evaluate the security of a product is to have it
> audited by security experts.
Does he mean by a company such as the one he runs (that sells security
audit services - surprise surprise) or does he mean a non-commercial audit
such as that done by the OpenBSD folk or the informal one of a "thousand
eyes" of the open source community?
It's all about increasing confidence levels. Whilst an audit is a good idea,
I don't see how a competition and time in the field can actual make matters
worse. Certainly no worse than relying on an audit and happening to select an
incompeted expert (of which there are plenty specializing in security
at the moment - one recently expressed surprise to me that qmail was running
an x86 Solaris as "that was usually installed on Sparcs").
But to answer your question, I've not seen mention of a formal audit
of qmail by certified security experts (or by self-appointed script kiddies
for that matter).
However, it would be very interesting to see such an audit. Mr Schneier could
convince a lot of sceptics if he conducted an eye-opening audit on qmail.
Regards.
