Does Open Source Need a Red Team? 49
"The Team could also provide a set of recommended processes and tools for O.S. projects to follow prior to submission to the Red Team test queue. This by itself would be a valuable tool.
Such teams are sometimes used by companies to test the security of their networks and software. The O.S. community have done an excellent job so far, but as open source is used more and more by the mainstream computer users, vetting by a 3rd party would help make many organizations more likely to accept a piece of O.S. software.
The Team would, like any open source project, be comprised of both experts and newbies. The newbies would have the opportunity of doing real testing under the guidance of folks who know more, thereby becoming more expert themselves. The experts would provide a centralized open-source-oriented set of recommendations and specialized review as needed.
Either the Red Team or its members could also provide paid services for commercial software, and could participate with university CS departments in training students, providing the opportunity for valuable cross-training between schools. It might even be possible to arrange course credit for work on the Team.
Many Open Source projects could benefit from such a 3rd party group to recommend development procedures, code styles, and actual testing to teach and motivate better security practices in code design. The plain fact is that many (most?) of us developers are not completely 'up' on the issue of security - it's a very dynamic area of specialization. This initiative could be another resource that will be useful in establishing OS in the mainstream."
Re:Dollar continues to decline against the Euro (Score:1, Offtopic)
A devalued dollar will really help US exports and therefore the economy, but at the same time it will be the Tax cuts which take the credit. Of course, the Keynesian method of pumping Iraqi oil money into US companies will also help, but again this essentially left wing economic policy will be ignored and the right wing trickle down policy will look like it saved the day.
The icing on the cake, however, is in making USians too afraid to travel abroad, therefore they will be
The obvious answer is... (Score:1, Offtopic)
The obvious answer is... (Score:1, Redundant)
Already have an ecosystem. (Score:1)
If money doesn't motivate you in such direct ways, you tell the authors, they fix it. You post to bugtraq, and your career gets a boost.
This is one part of open source that has viable business models. I don't think any more community effort than what is already being done (yes, people are auditing code) is going to fly.
Re:Already have an ecosystem. (Score:2, Interesting)
http://www.idefense.com/vcp_faq.html
I've seen a couple others, I can't recall offhand.
Funding? Needed at All? (Score:5, Insightful)
And of course, the benefit of open source is that all sorts of motivated, talented people from all over the world pitch in to do a similar analysis for free, and without a formal "red team." This breaks down quite a bit with the volume of Free Software being produced nowadays, however. But the important pieces of infrastructure (Apache, e.g.) DO get the scrutiny their importance demands. Not to mention pounding by black hats.
Someone mentioned OpenBSD [openbsd.org]. But even they don't audit everything. They confine their attention to the core of the OS. That's quite a lot of software, but the ports tree is quite a bit more. The ports get somewhat more attention than they would simply because you've got a large set of security conscious users.
Re:Funding? Needed at All? (Score:2, Insightful)
The paper by _iris (92554) [slashdot.org] suggested previously that this function might be part of
Re:Funding? Needed at All? (Score:2)
I don't disagree that Free Software could use more security auditing. That's the principle focus of OpenBSD and other projects. And I do believe that more-or-less secure components often get pu
Re:Funding? Needed at All? (Score:2)
Re:Funding? Needed at All? (Score:2)
Re:Funding? Needed at All? (Score:2)
hbo@gate> named -v
BIND 9.2.2
I was off by one tab in konsole. 8-\
Yes. (Score:4, Interesting)
The second phase of the open model was the documentation phase. When they collected code from the net to make their products, the commerical vendors of open software took the raw, unrefined code, and harnessed its power into a form that PHBs could recognize. Now we have Ximian - a refined product that PHBs recognize, built on the creativity of GNOME developers. Now we have MontaVista and Timesys Linux kernels - products that PHBs recognize, refined to their needs, but built on the creativity of the kernel developers.
I suppose that the third stage of the open model might be to do this - to help open projects apply best practices for software creation, test, and maintenance. I just don't know who you're going to get to do it. Individual developers, I would imagine, will be more concerned with the raw creativity of hacking at code in vi. Commercial companies will more be more likely to apply these practices to the code that they ship their customers, not the code that lives in the repository at SourceForge, although maybe they coincide.
I suppose my point is that you have to find people who want to do it, or money to make people want to, and I'm not sure where you're going to find either.
"Best Practices" are context-dependent (Score:5, Interesting)
I suppose that the third stage of the open model might be to do this - to help open projects apply best practices for software creation, test, and maintenance.
Are you implying that open development (with its world-readable version trees, communication through archived, public message systems, bypassing monetary systems as the controlling aspect of software development, etc.) has somehow proved itself so inefficient that it should be given up in favor of whatever the closed development sector has to offer?
It's the closed commercial sector that is supposed to bend toward open methods, not vice versa. That is happening through grass-roots efforts like "stealth" installments of Linux-servers in the end of 1990's followed by "stealth" installments of Linux-workstations right now, as well as governmental and communal bodies around the world already embracing the open model as a cost- and result-effective method unbound by the insecurities of commercial offerings.
I'm sorry to sound this flamy, but your comment (as well as this whole subject, actually) reminds me of quite a few people who claim they have a grasp of the open development model, while they still look at it through a 1980's commerce school's window.
As for the security of Open offerings, mature projects' insecurity (the cumulative time window of exploits open against product's lifetime) should be compared to that of closed-development (=non-patch-accepting) offerings. From what I gather, on that basis insurance prices against IT disasters should be considerably cheaper with mature Open products.
Re:"Best Practices" are context-dependent (Score:3)
But lets be realistic about whats going on.
Where I work, half of our product is the documentation that we supply to our customers detailing design, implementation, and testing. A big chunk of our time is spent going over records of integration testing and through the logs of
Re:"Best Practices" are context-dependent (Score:2)
Absolutely. Real world is infinitely interesting.
It has been my experience, and correct me if I'm wrong, but most open source projects pride themselves on the design behind the technical aspects of their projects, not by their quality assurance.
That might well be. It might well be a contributor to quality as well, but this is getting hypothetical. In the free software world, it seems quality is being ensured more by stabile service uptime than development-doc
Maybe you should try asking the OSDL (Score:4, Insightful)
I recall they are an organization sponsored by big names in the IT industry, that could possibly emplore such an idea. Their idea is to proviude enterprise class testing to help advance the linux community. I don't see why this couldn't be an extension of it.
I'm sure a nicely worded, thought out paper explaining the benefits would at least get a response, and possibly spike some interest.
Red Team Go! Red Team Go! (Score:2, Funny)
They could wear MIT wearables [mit.edu], have an internet uplink [natecarlson.com], and code-fu your ass into submission.
The Two-Edged Sword of Open Source Software (Score:5, Interesting)
Insurance, yes (Score:2, Interesting)
Re:Red leader do you copy? - Use the Source Luke (Score:1)
sorry, had to...
Process will make it better? (Score:4, Interesting)
I've been a part of many small and large processes, and none of them were effective. The best any of them were able to do was to soften what was produced by the morons. In lessening the effect of retarded developers, the processes become a hindering block to those who know wtf they are doing. Process is so fun.
Software development needs to be organic. OSS needs more mentors, gurus of the deep, dark, unknown to become one with the new blood. It is about community, and about collaboration - the real sort of kinship where people build things together. Process is about as un-personal as it gets.
Re:Process will make it better? (Score:2, Interesting)
I see this as just another project that is itself a resource to projects that want to make use of it, just as GTKlib is available as a resource.
Lest you go off the deep end waxing poetical in the da
Re:Process will make it better? (Score:3, Interesting)
One of the more complicated things we ever did, involved sending a guy to the moon. That involved lots of Engineering. That's the closest thing I can think of to writing new software. First, they didn't have the tools to
Re:Process will make it better? (Score:2)
I'm guessing you have little or no real-world experience. Consider artifacts from other technical disciplines: airliners, nuclear power stations, skyscrapers, etc. Very few software projects in the world are even within an order of magnitude of the complexity of one of those. Yet all those things require a great deal of process to get right, and the proof, as they say, is in
Re:Process will make it better? (Score:2)
I don't believe that is the case. Nearly all applications written are about retrieving data from some form of database, displaying it in some way, optionally allowing the user to edit it, optionally performing some calculation and writing it back to some form of database. Yet still, software projects frequently end in disaster.
Also, look at the people involved. Professi
Yes there is, it is called OpenBSD (Score:2)
Thank you Theo, you are great
It's [sort of] been done. (Score:1)
But seriously, folks, companies like Rational [rational.com] (now part of IBM) do this sort of thing. They sell products based on their ideas, but the end result of their efforts is software process techniques and tools. They've had some of the best minds in Computer Science working for them, people who have produced UML, the Unified Process, and many more while working at Rational.
OSS doesn't need a "Red Team" (Score:2)
Open Source projects have all the benefits of that sort of analysis built into the process already. Since the source is out there for anyone to analyze any way they see fit (source analysis, or external analysis of compiled binaries or running software), if the package has any interest from legitimate users, it tends to have interest from both white and black hack security analysis.
Generally the greater the end-user interest, the great the security analysis interest. The black hats of course follow that
Re:OSS doesn't need a "Red Team" (Score:1)
I think the guy's proposing "Apache 1.2.3 has passed a thorough security audit by a reputable group". That'll weigh heavier with PHBs.
So we need a reputable group that's willing to audit and publish for free. OSS either needs to raise money to pay people to do this or to organise their own group and get it a good reputation. I think he's suggesting that the latter.
Re:OSS doesn't need a "Red Team" (Score:2)
In real, actual, factual terms, saying that the most current release of Apache is secure because of all the reasons I outlined above carries far more real weight than any certification company can provide.
However, you are on the nose that a PHB would rather see an audit from an individual company. I guess it comes down to whether you want to bow down to the man and do what your PHB says regardless of how braindead it is, or you're willing to stand up to your PHB and educate them on the science and reality
"Community"? (Score:5, Interesting)
Nice idea. However, it fails on one problem: there is no "Open Source Community". Or rather, there is, but it's not the sort of homogenous, integrated entity/organization that gives managers and powerpoint jockeys warm fuzzy feelings.
Rather, it's a bunch of dudes knocking out code. And for the same reason you're not going to get most of them to provide adequate documentation, which is thoroughly understandable given that (a) they're doing something for fun, and (b) they're not getting paid for it, you're not going to get these people to submit to procedures and processes, on the whole. Hobbyists will continue to build stuff on a lark, doing it the way they feel like doing it.
Now if you want to provide something like this as a service for companies hoping to use OSS, great. However, someone would have to pay for it, which takes away one of the big pluses of OSS. In fact, that's one of the reasons your average commercial entity goes for proprietary software--it's the management perception that there is an organized set of procedures and such behind its development (usually true to some degree) as well as an organization they can sue if things go pear-shaped.
Nice idea, but needs practical development.
other ways... (Score:3, Interesting)
i get the idea you want a company to do all this work and then place a certification on distros or packages. you confuse the issue with the buzzword scented "red team" references, but it really sounds like you want to use the services of such a company - or create one and create buzz for such a company.
This already exists (Score:3, Funny)
Anyone else amused by the irony that someone is advocating open source software should start practising the things closed source development is now getting buzzword compliant with, which is made popular in that arena because its already such a success with open source software?
But look at the competition (Score:2)
Until that time, OSS is kicking the shit out of commercial software WRT security. I say just let it continue doing so.
Sardonix? (Score:2, Interesting)
Another thing to remember is that there are decent references out there, some quite well known, that people could follow and use but simply don't (Viega's book, and number of HOWTOs, etc.).
In anycase, you might want to approach WireX and see what, if anything, can be done to resurrect Sardonix.
that would be cool... (Score:1)
Red Shirts (Score:4, Funny)
Captain Kirk, Mr. Spock, and the Red Team beam down to an alien planet -
Kirk - "Rodriguez, check to see what's causing that buzzing sound coming from the rock nearby."
Rodriguez (Red Team) - "Bleep you! Go check it out yourself! We've lost three Red Team members this past week that beamed down to strange worlds with you!"
very last post, i suck (Score:1)
very last post (Score:1)