Forum OpenACS Q&A: Re: OpenACS ISECOM Security Testing

Collapse
Posted by Frank Bergmann on
Hi Chris,

thanks a lot for your involvements and your great comments. Well, I didn't tell you that we got a special deal with ISECOM... I have forwarded your comments to Pete so that he can react to it. And yes ISECOM has tight links to Ideahamster.

<blockquote> Google shows very few links to their site.
</blockquote>
I seems open-source methodologies suffer the same image problems os software used to... I know from Pete that the DoD itself is auditing a large part of its computers using his manuals, but they are unwilling to talk publicly about ti. It's a nice reference customer thought...

<blockquote> liability
</blockquote>
It seems you are pointing out a correct problem. Unfortunately this problem is _know_ to have no solution, so the strategy seems to be to look for different problems... 😊
In particular we will have to distinguish between the scope of certification and the general improvement of security of OpenACS and Project/Open. It's not the same thing, so we will need to do both, even if general security enhancements and increased security awareness from the developers side cannot be certified.

Alwin Egger, a senior developer at P/O is going to handle the certification process. We are currently clarifying the procedure and preparing a project plan for the next three months.

In particular he is going to coordinate a list of known vulnerabilites and security issues, both resolved ones and open ones, as a base. In a second step he is going to check the code for these vulnerabilites. So _he_ and not the ISECOM guys are going to do the real work. It would be great if you could help him by contributing know issues with the code, such as the "categorized revision item" you are mentioning.

Hope that makes a bit more sense...

Bests,
Frank