> I seem to have successfully pushed Struts in my company (a big Wall > St. bank). However, today, I was asked the following question: > > How can I guarantee that there are no hacks, bombs, etc. in the > Struts code or any OS code for that matter? > > My immediate response was, how can you guarantee it for any code? > However, being a large bank with literally trillions of dollars a day > passing though our systems, I can definitely understand their concern.
Well, the immediate answer is that you can do a security audit of the source code yourself. This option simply isn't available with closed source solutions: you are reliable upon happy-customer stories and product reviews in magazines, which are notoriously unreliable. The quality control procedures for OSS are fairly high, and are arguably better than those in the private world. > At a minimum, we will obtain the source code and at least do a minimal > code walk-through and then compile our own binaries. I would take that one step further and make the code you build you jars from the "definintive" code for your company, i.e. you would no longer download the Struts source from their CVS repository, but would rely on your own internal copy of the source. This would mean that you would have to fix any undisovered bugs in the source in house, which may or may not be able to be donated back into the Struts CVS tree, but you would have additional assurance against the introduction of new (intentional or not) security holes. > What other guarantees can I make to my management? What is > the process the Struts team uses to control a rogue contributor? There are no guarantees that can be made about security, despite what salespeople will tell you. The best you can do is to carefully examine and test the product. Further, you have to go through a fairly involved process to become a commiter, and your reputation will be important before you become one. Even after that all changes are reviewed by other committers before they are actually imported into the codebase. (CC'ing this to the struts-dev list for corrections. My understanding of the process for Struts development is itself a work in progress. :) -= J --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
