On Tue, May 20, 2008 at 9:31 AM, McGuffey, David C. <DAVID.C.MCGUFFEY@xxxxxxxx> wrote: > > On Mon, 19 May 2008 20:15:15 -0700 Les H wrote: >> >> On Mon, 2008-05-19 at 14:13 -0400, McGuffey, David C. wrote: >> > I understand that DHS is funding an effort to use commercial tools > to >> > find bugs in open source software. I guess the official name is >> > Vulnerability Discovery and Remediation, Open Source Hardening > Project, >> > but the common handle seems to be simply Open Source Hardening > Project. >> > >> > There was an interesting article at ZDnet...some pros and some cons: >> > http://news.zdnet.com/2100-1009_22-6025579.html >> > >> > Question...is the Fedora development community benefiting from this >> > effort? >> > >> > Dave McGuffey >> >> Did you look at the date of the article? >> >> Regards, >> Les H >> > Yes, but it was mentioned at the 8th Software Assurance Forum two weeks > ago in and among several presentations concerning open software > security. So...apparently the program is still going on. > > There were other presentations about automated tools that scan through > both source and compiled binaries looking for actual or potential > vulnerabilities. In some cases the code is so complex, that the tools > can only flag a block of code for further human review. Seems that a > lot of effort is going into automated tools, because a significant > percentage of the attendees at the SWaF seems to believe that the > universities are doing a poor job of training software engineers, and > the "cost schedule" mantra of software development managers runs counter > to security. Do you have any good links or information for programmers looking to tighten up code in regards to security? I have seen some things scattered about but I was hoping to find some central repository of info(if such exists) that points out the common flaws and how to fix them or even better how to avoid them. I don't think anyone is trying to leaving gaping security holes in their software but its obviously happening anyway. I have seen among some of the redhat stuff, I have read, pointers that show common errors but I am looking for something like a book(i don't mind paying for solid information) that teaches how to program securely, maybe something that explains how to avoid the common errors starting in the planning phase. I know such a book would not be easy to produce but it would be worth paying for if it can help people code more securely. A well written book on programming should take these things into consideration but there are many books, some obviously better written than others but unless you already have the expertise it is going to be hard to tell the difference. I google for it and i get alot of hits but these pages are ranked on popularity, in part anyway, and there is no guarantee that the info is up to date or even accurate. I wouldn't mind seeing my tax dollars spent on something useful like a knowledge base where programmers can turn for good advice on best practices and such.The world gets more dependent on software everyday, we need better quality control. BTW i am not suggesting such a thing would be easy but the things worth doing rarely are... Max -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list