Tuesday, January 08, 2008

Secure? Sure! ... and it will cure your asthma too!

Linux Today picked up a story from CNET that just took my breath away.

11 Open-Source Projects Certified as Secure

Here's the short version:

Coverity announced that they're certifying Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL as satisfying their Rung 2 scan process.

Cool?

You bet!

Secure?

bhahahahahahahahahahahahahahahahahahaha

Hmmm... ok, back to reality...

First off,

Ever used static analysis programs?

Secondly,

While I applaud any efforts to squeeze security defects out of programs, let's not forget a simple rule of security:
'secure' program + bone-head configuration error == insecure program
This point alone is enough to invalidate any discussions regarding whether a program is secure.

I don't mean to cast aspersions on the effort or on the quality code in these programs, but let's be real here. For all sakes and purposes, there is no such thing as secure code.

To be fair, Coverity does not appear to be the one claiming these programs are secure. CNET, shameshameshame.

Maybe I'm just being grumpy... Maybe my grumpiness is immaterial.

No comments: