Forum OpenACS Q&A: Re: OpenACS ISECOM Security Testing

Collapse
8: Re: OpenACS ISECOM Security Testing (response to 5)
Posted by Pete Herzog on 07/07/04 12:22 PM
Hi,

Perhaps I can answer some of the outstanding questions because I think confusion started when Frank didn't explain the whole situation.

Ideahamster was the original name of the open source documentation group who wrote a few methodologies on secure programming and security testing.  In December 2003 we bacame an official non-profit in both New York and Spain.  We did this because the name "ideahamster" was not well received by official types.

I'm not sure where you find our website to be less than adequate as many OS websites have broken links occassionally since we have no manpower to maintain it as often as corporate ones.  We lost our Canadian mirror hosting the forum to a faulty motherboard but other than that, we still own the domain name and can still control where it points so I don't see how anyone else could set it up and misdirect people.  I suppose this could be done by anyone to anyone who controls a a DNS server used by a large number of people, like an ISP, but then it wouldn't actually be that widespread.

About the proposed certification-- about 1 year ago we were asked to create a methodology for which one can measure the deltas of software in their environment.  This is not the same as securing software through code.  This does mean measuring the security of software and all 3rd party components needed to run in certain environments as well as the installation (default) configuratons.  We did this.  The worth of such a test is dependent on the size and scope of the softwares with associate environment.  Our first contact to make the methodology put the price at $10,000US.  As I ran into Frank at the university, I explained this to him and our discussion lead to the proposal-- we would certify his solution in return that he works with us to refine the process into a service we may offer in the future on a regular basis.  However, we would only be the accrediting authority and not the testers.  This requires that the process be sound which is what we want from Frank's support.

Frank's certification requires us to examine the installation of OpenACS as well as other components of his solution.  We did ask Frank to verify the software code himself and we have helped already one of his project people on the methodology of testing source code.  While verifying source code improves the product's security, it is not required for a delta certification.  It's in his (and everyone's) best interest that the solution is secure.

As for Visa's CISP and CISA, they are part of our generic methodology (www.osstmm.org) and our delta methodology therefore it would be verified for compliancy.  In this case, we ascertain if even there were to be a bug, the solution would fail securely and proper loss controls would assure no ensitive data is surrendered.

I hope this helps.

Sincerely,
-pete.