RE: Use of closed source software

From: hal@finney.org
Date: Wed Feb 06 2002 - 11:44:38 MST


I saw another story this morning on the issue of reviewing open source
software for bugs. Sardonix, www.sardonix.org, is a new project to
organize the search for bugs, keep track of which code has been audited,
and give credit to the people who find the most bugs. The project is
being funded by DARPA for two years (although they are not giving cash
prizes to bug finders).

The story is at http://www.theregister.co.uk/content/4/23956.html:

   Conventional wisdom has long held that open source software garners
   extra security from the sheer number of people who are free to review
   the code -- "Many eyes make all bugs shallow," the adage goes. The
   reality is often different; it turns out many of those eyes have
   little interest in the thankless task of examining other people's
   code for security holes.

   But now the "many eyes" school of software security may become more
   than a theory, thanks to a reward system devised by a Oregon-based
   computer scientist and funded by the U.S. Defense Department, which
   was announced over security mailing lists Tuesday.

   Part software development system and part psychological gambit, the
   Sardonix project would replace the current loosely-structured open
   source security review process with a central Web site that tracks
   which code has been audited for security holes, and by whom. An
   automated reward loop grants points to volunteer auditors according
   to the amount of code they've examined, and the number of security
   holes they've found. Auditors lose points if a subsequent audit by
   someone else turns up bugs they missed.

Hal



This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 13:37:38 MST