Linux Today picked up a story from CNET that just took my breath away.
11 Open-Source Projects Certified as Secure
Here's the short version:
Coverity announced that they're certifying Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL as satisfying their Rung 2 scan process.
Cool?
You bet!
Secure?
bhahahahahahahahahahahahahahahahahahaha
Hmmm... ok, back to reality...
First off,
Ever used static analysis programs?
Secondly,
While I applaud any efforts to squeeze security defects out of programs, let's not forget a simple rule of security:
I don't mean to cast aspersions on the effort or on the quality code in these programs, but let's be real here. For all sakes and purposes, there is no such thing as secure code.
To be fair, Coverity does not appear to be the one claiming these programs are secure. CNET, shameshameshame.
Maybe I'm just being grumpy... Maybe my grumpiness is immaterial.
11 Open-Source Projects Certified as Secure
Here's the short version:
Coverity announced that they're certifying Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL as satisfying their Rung 2 scan process.
Cool?
You bet!
Secure?
bhahahahahahahahahahahahahahahahahahaha
Hmmm... ok, back to reality...
First off,
Ever used static analysis programs?
Secondly,
While I applaud any efforts to squeeze security defects out of programs, let's not forget a simple rule of security:
This point alone is enough to invalidate any discussions regarding whether a program is secure.'secure' program + bone-head configuration error == insecure program
I don't mean to cast aspersions on the effort or on the quality code in these programs, but let's be real here. For all sakes and purposes, there is no such thing as secure code.
To be fair, Coverity does not appear to be the one claiming these programs are secure. CNET, shameshameshame.
Maybe I'm just being grumpy... Maybe my grumpiness is immaterial.
No comments:
Post a Comment