On Mon, 19 May 2008 20:15:15 -0700 Les H wrote: > > On Mon, 2008-05-19 at 14:13 -0400, McGuffey, David C. wrote: > > I understand that DHS is funding an effort to use commercial tools to > > find bugs in open source software. I guess the official name is > > Vulnerability Discovery and Remediation, Open Source Hardening Project, > > but the common handle seems to be simply Open Source Hardening Project. > > > > There was an interesting article at ZDnet...some pros and some cons: > > http://news.zdnet.com/2100-1009_22-6025579.html > > > > Question...is the Fedora development community benefiting from this > > effort? > > > > Dave McGuffey > > Did you look at the date of the article? > > Regards, > Les H > Yes, but it was mentioned at the 8th Software Assurance Forum two weeks ago in and among several presentations concerning open software security. So...apparently the program is still going on. There were other presentations about automated tools that scan through both source and compiled binaries looking for actual or potential vulnerabilities. In some cases the code is so complex, that the tools can only flag a block of code for further human review. Seems that a lot of effort is going into automated tools, because a significant percentage of the attendees at the SWaF seems to believe that the universities are doing a poor job of training software engineers, and the "cost schedule" mantra of software development managers runs counter to security. My question remains...are the open source developers whose contributions make it into Fedora benefiting from the DHS program or any of the other tool development efforts? Dave McGuffey Principal Information System Security Engineer // NSA-IEM, NSA-IAM SAIC, IISBU, Columbia, MD -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
