Re: DHS Open Source Hardening Project

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 20 May 2008 02:28:27 -0500 Bruno Wolff III wrote:
> 
> On Mon, May 19, 2008 at 14:13:05 -0400,
>   "McGuffey, David C." <DAVID.C.MCGUFFEY@xxxxxxxx> wrote:
> > I understand that DHS is funding an effort to use commercial tools
to
> > find bugs in open source software.  I guess the official name is
> > Vulnerability Discovery and Remediation, Open Source Hardening
Project,
> > but the common handle seems to be simply Open Source Hardening
Project.
> >
> > There was an interesting article at ZDnet...some pros and some cons:
> > http://news.zdnet.com/2100-1009_22-6025579.html
> >
> > Question...is the Fedora development community benefiting from this
> > effort?
> 
> I wouldn't expect there to be direct visibility to Fedora as that kind
> of work is going to be upstream of Fedora. I am aware of Coverity
> providing
> information (though I am not sure if it was funded by DHS, it may have
> been part of their marketing strategy) for some projects that have
code
> in Fedora (e.g. Postgres).
> 
Thank you.

I attended the 8th Software Assurance Forum a couple of weeks back and
there were several presentations and a lot of discussion about applying
automated tools to both source code and compiled binaries in an effort
to reduce the vulnerabilities of software. Open source software was a
hot topic.  Many lauded it, and some (mostly from the big commercial
vendors) trashed it.

Most attendees seemed to agree that the universities are failing us by
not teaching software security concepts at the undergraduate level. Many
also agreed that being CMMI level 3/4/5 and having great software
development environments were not a silver bullet to the problem.

So...in light of those two big glaring problems/failures, automation is
being attempted on a number of fronts, with the DHS program apparently
being only one.

Since I'm actively using Fedora at home and in an office lab, I was very
interested in whether the DHS (or any) tool development program was
providing a benefit to the open source community, and the security of
the resultant products.

Dave McGuffey
Principal Information System Security Engineer // NSA-IEM, NSA-IAM
SAIC, IISBU, Columbia, MD


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux