Firewall Wizards mailing list archives

Re: Sardonix Security Auditing Portal

From: John McDermott <jjm () jkintl com>
Date: Thu, 07 Feb 2002 11:54:00 -0700


Crispin Cowan wrote:


We propose to address this under used potential by providing a real &
effective web portal to facilitate & encourage source code auditing.
This web site will facilitate and encourage source code auditing in the
following ways:
...


Great idea.

The score keeping is really the most important part of the web site,
with two key roles to play:

    * the karma whore effect: we conjecture that a web site that will
      mechanically compute a number of how l33t you are will attract
      people to audit code.  Consider how hard people will work just
      score karma points on Slashdot :-)
    * assuring code quality: scoring the code in terms of the number &
      quality of eyes that have read it will give code consumers a
      reasonably valid way to determine the level of trust they can put
      in that code.


I would suggest adding points for providing the fix, or at least *a*
fix, even if the fix is not adopted by the code's maintainer.  This
removes some of the work from the maintainer and encourages the auditor
to not only discover problems, but to also discover the specifics of the
problem and how it might be fixed.  I can see, for example, an
individual beating on a tool until it fails and making a report that
with a particular input stream or whatever, the tool fails.  Actually
finding what is wrong is important so encouraging the finding of a fix
might be something to reward.

Another possibilty might be to award points for the creation of auditing
tools.  This is, in general, a hard problem (or else we'd all just test
our code with the one true audit program and the site would not be
necessary).  Rewarding good tools might encourage some of the research
necessary to get such tools created.

Just my USD0.02

--john
-- 
John McDermott, Writer and Consultant
J-K International, Ltd.
V +1 505/377-6293  F +1 505/377-6313
jjm () jkintl com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Sardonix Security Auditing Portal Crispin Cowan (Feb 05)
- Re: Sardonix Security Auditing Portal John McDermott (Feb 07)
  - Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 08)
- Re: Sardonix Security Auditing Portal Paul Robertson (Feb 08)
  - Re: Sardonix Security Auditing Portal Crispin Cowan (Feb 09)