From: hal@finney.org
Date: Wed Feb 06 2002 - 11:44:38 MST
I saw another story this morning on the issue of reviewing open source
software for bugs. Sardonix, www.sardonix.org, is a new project to
organize the search for bugs, keep track of which code has been audited,
and give credit to the people who find the most bugs. The project is
being funded by DARPA for two years (although they are not giving cash
prizes to bug finders).
The story is at http://www.theregister.co.uk/content/4/23956.html:
Conventional wisdom has long held that open source software garners
extra security from the sheer number of people who are free to review
the code -- "Many eyes make all bugs shallow," the adage goes. The
reality is often different; it turns out many of those eyes have
little interest in the thankless task of examining other people's
code for security holes.
But now the "many eyes" school of software security may become more
than a theory, thanks to a reward system devised by a Oregon-based
computer scientist and funded by the U.S. Defense Department, which
was announced over security mailing lists Tuesday.
Part software development system and part psychological gambit, the
Sardonix project would replace the current loosely-structured open
source security review process with a central Web site that tracks
which code has been audited for security holes, and by whom. An
automated reward loop grants points to volunteer auditors according
to the amount of code they've examined, and the number of security
holes they've found. Auditors lose points if a subsequent audit by
someone else turns up bugs they missed.
Hal
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:12:14 MST