Calling all DEPs

[Matthew Carpenter]

On Fri, 07 Mar 2003 18:53:27 +0800
Chong Yu Meng <chongym at cymulacrum.net> wrote:

> Actually, I've always had trouble buying into the "thousand eyes" 
> theory, because it assumes too much about the developer community. Call 
> me cynical, but I've seen too many instances of a really obvious problem 
> or contradiction escaping the eyes of a great many people, and I'm not 
> just talking about Linux here.

I can agree on that.  Not every line of code has even two people look at it. 
But it is a lot better than the alternative.  No eyes except some Microserf
trying to keep up with the rest of the behemoth to keep it fed.  No sir.  The
Sendmail vulnerability wasn't found by some hacker making a Code Red or Code
Blue to exploit it.  It was found by ISS, a security company, who was going
through a "routine code review".  Actually, I'd think less ideal things of him
on finding the Snort issue.  I'm thinking "competition" at that point.

> Security can be defined in many, many ways. And I don't think 
> certification alone is a "guarantee" of security, because certification 
> implies a series of tests, which must be standardized, by definition. 
> This does not allow for the kind of improvisations that are commonplace 
> on the Internet, and cannot possibly test every possible scenario, 
> present and future.

Unfortunately, a lot of the proprietary world can't wrap it's mind around
anything that doesn't cost big bucks.
Another example of trusting the money-sink.