Interesting
|
Posted by sgt_jake on 2004-04-15 08:14:40
|
|
In reply to RobEnderle
|
[don't ask how I ended up here again, but here I am...]
Jake is my real name (toilet?!), I was a Sergeant in the United States Marine Corps. It's far more descriptive of me than any other nick-name and easier to type. And I'm paranoid about my personal information so I typically don't post my last name. Call me a freak.
It's true, I've never actually been an auditor, but I go through software and process audits about twice a year, for 6 years now (financial industry and all). -- Don't know if you'll ever see this, so I'll defer the debate, but I still say you're calling your _perceptions_ about open source fact, and your perceptions are wrong. If you want to know who wrote something in your code, look at the public mailing list to see who wrote it. Don't trust it? Take it out. Or use SE Linux (made by the NSA), or another distribution that's trying for government certifications.
In short - just because people are adding to Linux every day doesn't mean your code on your machines is changing every day. You pick when and where to update, and you can audit every bit and byte if you so choose.
In fact, let's try this one - Let's do a security audit on a webserver in your org. You can run a complete linux kernel in under 1.44 mb. A cut down apache can be run in less than 2 mb (or so I once read). Throw on SSH (commercial - 3.5 mb), and you have a webserver serving public pages securely in less than 10 mb. Compare that to IIS running on WinXP and tell me which one would pass an audit faster. Even if you stripped down IIS and XP to bare bones [serving the same locked down function as the linux/apache combo), 10 MB of code (that includes the source code) shouldn't prove to be too much of a challenge for anyone to audit.
Now - let's update that software. A vulnerability is found in the Linux kernel, and at some point is patched. Do a background check on the person who wrote the patch? I think it runs about $500. Can't verify that person? Hire a security firm to audit the patch and see if anything is wrong (or hire someone to work around it for you). Maybe $2500? $5000? [This is assuming that you NEED the patch at all - if your kernel is that stripped down the chances are prety slim].
Vulnerability in your windows server is found. Microsoft releases a patch. If you had to audit the people who wrote it, or the patch itself it would cost you too. But if you trust Microsoft, then $0. But you'll probably have to take all the other patches with it, and strip it down again to keep it secure. The costs would (in my opinion) balance, but even if they didn't, I'd still trust my 10 mb over the IIS combo. And since most of my audits [not all of them, but most] came out shining, I'll trust my experience.
Besides - have a good auditor like Delloite and Touche to guide you in what you failed at matters far FAR more than the software you're using. I'd go so far as to say it doesn't matter what you use as long as you do it right. Which to me says that your frantic alarmist hand waving is just you being paranoid - something that usually happens when you're unprepared.
Sgt_jake
|
|
 |
|
* |
|
Topic |
|
Author |
|
Date |
|
|
 |
|
|
Re: Can Open-Source Software Survive an Audit? |
|
Rob Enderle |
|
2004-02-17 21:02:48 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
beaner |
|
2004-02-24 06:19:24 |
|
|
 |
|
Re: Can Open-Source Software Survive an Audit? |
|
RobEnderle |
|
2004-02-24 08:20:23 |
|
|
|
|
Re: Can Closed-Source Software Survive an Audit? (was Open) |
|
heron |
|
2004-02-22 20:41:15 |
|
|
|
|
Re: Can Closed-Source Software Survive an Audit? (was Open) |
|
RobEnderle |
|
2004-02-24 08:06:47 |
|
|
|
|
Rob undermines his own opinion. |
|
sgt_jake |
|
2004-02-19 12:59:42 |
|
|
|
|
Re: Rob undermines his own opinion. |
|
RobEnderle |
|
2004-02-20 09:55:04 |
|
|
|
|
I call hypocracy |
|
bangular |
|
2004-02-24 05:33:38 |
|
|
 |
|
Re: I call hypocracy |
|
RobEnderle |
|
2004-02-24 08:14:22 |
|
|
|
|
Interesting |
|
sgt_jake |
|
2004-04-15 08:14:40 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
jejones3141 |
|
2004-02-19 04:04:20 |
|
|
 |
|
Re: Can Rob Enderle Survive Reality? |
|
timransom |
|
2004-02-18 20:44:12 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
ptarra |
|
2004-02-18 14:05:38 |
|
|
 |
|
Re: Can Open-Source Software Survive an Audit? |
|
beaner |
|
2004-02-18 13:27:35 |
|
|
|
|
Playing fast and loose with your terms |
|
shadow255 |
|
2004-02-18 11:15:07 |
|
|
|
|
Re: Playing fast and loose with your terms |
|
RobEnderle |
|
2004-02-20 09:25:26 |
|
|
|
|
Re: Playing fast and loose with your terms |
|
cricketjeff |
|
2004-02-20 10:01:04 |
|
|
|
|
Re: Playing fast and loose with your terms |
|
RobEnderle |
|
2004-02-20 11:32:51 |
|
|
|
|
Contradictions |
|
JoeBunting |
|
2004-02-24 04:52:15 |
|
|
|
|
Re: Contradictions |
|
RobEnderle |
|
2004-02-24 07:52:36 |
|
|
|
|
Re: Playing fast and loose with your terms |
|
beaner |
|
2004-02-23 07:23:09 |
|
|
|
|
Re: Playing fast and loose with your terms |
|
RobEnderle |
|
2004-02-24 08:27:26 |
|
|
|
|
Re: Playing fast and loose with your terms |
|
cricketjeff |
|
2004-02-20 16:11:42 |
|
|
|
|
Re: Playing fast and loose with your terms |
|
RobEnderle |
|
2004-02-24 08:48:54 |
|
|
|
|
Troll your boat, troll your boat, gently down the streeeeam |
|
bangular |
|
2004-02-18 13:04:46 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
bangular |
|
2004-02-19 02:47:43 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
cricketjeff |
|
2004-02-20 06:11:08 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
bangular |
|
2004-02-19 17:18:27 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
beaner |
|
2004-02-19 09:12:37 |
|
|
 |
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-20 08:53:30 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
beaner |
|
2004-02-23 08:08:52 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-24 08:36:20 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
beaner |
|
2004-02-23 08:00:28 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-24 09:42:54 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
beaner |
|
2004-02-27 07:01:32 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
cricketjeff |
|
2004-02-20 10:07:40 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-20 11:47:05 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
cricketjeff |
|
2004-02-20 14:34:19 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-20 17:07:52 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
bangular |
|
2004-02-23 14:00:50 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-24 09:54:11 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
bangular |
|
2004-02-24 10:40:08 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-24 11:14:21 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
bangular |
|
2004-02-24 13:27:47 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-24 14:10:10 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
cricketjeff |
|
2004-02-21 06:39:38 |
|
|
|
|
Re: Troll your boat, troll your boat, gently down the streeeeam |
|
RobEnderle |
|
2004-02-24 09:00:57 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
jmpnop |
|
2004-02-18 10:19:40 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
RobEnderle |
|
2004-02-20 07:52:51 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
pasikoistinen |
|
2004-02-26 01:46:13 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
ixnayrox |
|
2004-02-17 21:08:56 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
RobEnderle |
|
2004-02-20 10:30:36 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
beaner |
|
2004-02-23 07:51:47 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
RobEnderle |
|
2004-02-24 14:33:19 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
phfcpa |
|
2004-02-21 07:19:36 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
RobEnderle |
|
2004-02-24 09:15:42 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
alfarom |
|
2004-02-24 05:45:42 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
RobEnderle |
|
2004-02-24 09:27:45 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
alfarom |
|
2004-02-24 13:47:46 |
|
|
|
|
Re: Can Open-Source Software Survive an Audit? |
|
RobEnderle |
|
2004-02-24 15:00:56 |
|
|
|
|
Personally, you're wrong... |
|
DarkProximity |
|
2004-02-25 09:46:24 |
|
|
|
|
Re: Personally, you're wrong... |
|
Smithy2004 |
|
2004-02-25 13:23:05 |
|
|
|
|
sorry, I had to leave |
|
DarkProximity |
|
2004-02-26 10:21:45 |
|
|
|
|
hehe... let me explain. |
|
DarkProximity |
|
2004-02-26 05:58:42 |
|
|
|
Headline Feeds
