Firewall Wizards mailing list archives
Re: Code reviews [Was: FWTK and smap/smapd]
From: Jim Duncan <jnduncan () cisco com>
Date: Fri, 19 Jul 2002 16:07:29 -0400
Marcus J. Ranum writes:
[...] And Carson was so darned insufferable about the patches he sent in that even though he was right I wished he'd go away. ;)
If it's any consolation, Carson treats everybody the same way. :-)
I think relatively few people look at the code nowadays - it's almost certainly lower proportionally than it used to be. But the number of eyeballs has, perhaps gone up. The whole concept of open source code review is very dubious to me, since the typical open source package is hugely bloated with features and portability hacks, comes with a convoluted "configure" script and - well - in the face of that why not just install the rpm?
It's amazing to me how much of my job falls in between Henry Spencer's
observation, "Those who fail to learn from UNIX are condemned to
re-invent it, poorly," and some other person who said, "There's a fixed
amount of clue on The Net." (s/on The Net/in this industry/g)
A huge number of the vulnerabilities and lackluster coding mistakes that
I see are simply older errors repeated. Making the source code
available for viewing by a wide audience doesn't guarantee that
vulnerabilities will be found and fixed, but it does increase the
likelihood that someone will notice a piece of code that looks like some
old mistake reborn.
My holy grail has been to divine some sort of genealogy for code
snippets so I can track who worked with whom and who mentored with whom
on various software projects. Then when I discover a programmer who
consistently shoots from the lip with their pointer arithmetic, I can
find the other software routines they've worked on, and (more
importantly) I can find the other programmers who have learned the same
dangerous coding style from this Typhoid Mary of software engineering.
It is true that fewer people look at the code, and I think it undermines
the assumption of the completely open source full disclosure crowd that
users can protect themselves immediately if only they had full details.
They can't. Most people have to wait on vendors and support people to
test fixes and deploy changes, especially so in the more complex
regulatory environment surrounding networking and the legal obligations
affecting cyber commerce.
Jim
==
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
E-mail: jnduncan () cisco com Phone(Direct/FAX): +1 919 392 6209
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FWTK and smap/smapd, (continued)
- Re: FWTK and smap/smapd Frederick M Avolio (Jul 17)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 17)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 19)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 19)
- Re: FWTK and smap/smapd Marcus J. Ranum (Jul 19)
- Re: FWTK and smap/smapd Anton J Aylward, CISSP (Jul 19)
- Re: FWTK and smap/smapd Paul D. Robertson (Jul 19)
- Re: FWTK and smap/smapd R. DuFresne (Jul 19)
- Re: FWTK and smap/smapd Joseph S D Yao (Jul 19)
- Message not available
- Code reviews [Was: FWTK and smap/smapd] Marcus J. Ranum (Jul 19)
- Re: Code reviews [Was: FWTK and smap/smapd] Jim Duncan (Jul 19)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 22)
- Re: Code reviews [Was: FWTK and smap/smapd] ark (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Carson Gaspar (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Joseph S D Yao (Jul 23)
- Re: Code reviews [Was: FWTK and smap/smapd] Darren Reed (Jul 23)
- Re: FWTK and smap/smapd Brian Hatch (Jul 19)
- Re: FWTK and smap/smapd Adam Shostack (Jul 17)