This is a very good example of the security problems that Open Source projects have.
Open Source projects need to have strong Secure Development Lifecicles for their software. And here they could do worse than learn from Microsoft's efforts. One of the projects that I really want to do at the OWASP is an SDL project which should be used on OWASP projects (39 at last count ( http://www.owasp.org/index.php/Category:OWASP_Project)) in order to ensure that OWASP tools are as secure as they can be. We need to make our software more secure and trustworthy and a solid SDL is a good (first) step. Eventually we will need to move to the Sandboxing model, but I won't start the thread again :) Dinis Cruz Chief OWASP Evangelist http://www.owasp.org On 12/14/06, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote:
I guess this falls in to the "you can lead a horse to water, but you can't make him drink" category: http://www.heise-security.co.uk/news/82500 A member of the PHP security team has left in apparent disgust over the team's security practices. I doubt that anyone here on SC-L is surprised by the article, but PHP remains quite popular, and it seems sad to see it losing some vital and much-needed security support. Well, there's always AJAX, I suppose. ;-\ Cheers, Ken P.S. Hey, SC-L is 3 years old this month! ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
--
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________