Sardonix Source Code Security Auditing Portal

Crispin Cowan writes "We have just announced the Sardonix source code security auditing portal. Sardonix is intended to help, encourage, and preserve community security auditing of open source programs. The "many eyes" effect is enabled by open source software, but is not assured. Sardonix seeks to measure who is actually reviewing the source, and reward that work with public props.

Crispin"

Re:RMS in rare television appearence!!!

[phanki]

As mentioned above, it is indeed interesting how simple things in life can be looked at. But saying that Free Software Programmers can find gainful employment by takin some consideration over their appearence is an over-statement. The measure of a persons intellect not necessarily lies in the cost of the trouser or the tie.

Open Source for National Security?

[advtech]

Along the lines of a different side of the "security" issue, The Edge Report [edgereport.com] has posted an interesting article talking about the national security implications of closed source software. While the infiltration of Microsoft by Al Qaeda may have been only a rumor, the article [edgereport.com] explores a world where this could happen. And guess what? We're living in it. It closes with a powerful statement: "Closed source software vendors, in the name of National Security: Open your Code!".

http://www.edgereport.com/article.php?sid=135 [edgereport.com]

--

Um, fund a non-profit, Uncle Sam

[xarc]

The simple truth: Wirex is out to make a profit.

They've already had their DARPA contracts, and what have they contributed? No-exec patches for Linux. That's about it.

If the government had done their homework, they would have seen there are plenty of other companies that are NOT trying to capitalize on the security hype, and have a much greater pull and understanding of the community than Wirex. This project will fail, simply because Wirex cannot maintain and engage the community to an extent that it will become the premier bug-squashing center of the open source universe. If that is not the point of the project, then the money is wasted anyway.

I'd much rather see the US funding non-profit software-security initiatives. It needs to be non-profit, and not affiliated with any one vendor. They need to be actively involved in the security community; not just post a message when they get funding. I think we'd see much greater success.

Re:Um, fund a non-profit, Uncle Sam

[Crispin Cowan]

Clue: DARPA funds lots of for-profit companies. The vast majority of them give back far less to the community than WireX does.

They've already had their DARPA contracts, and what have they contributed? No-exec patches for Linux. That's about it.

Brilliant. Completely, precisely wrong. The non-executable stack [openwall.com] patch is by Solar Designer. WireX has contributed StackGuard [immunix.org], FormatGuard [immunix.org], and the Linux Security Module [immunix.org] project, with more on the way.

They need to be actively involved in the security community; not just post a message when they get funding. I think we'd see much greater success.

• 114 moderator-approved posts to securityfocus.com mailing lists [google.com].
• 48 publications and citations [google.com] to our work on the USENIX site.
• I served on the USENIX Security 1999 [usenix.org] program committee.
• I was the publicity chair for the New Security Paradigms Workshop [nspw.org] for three years [nspw.org].
• My first post [nasa.gov] to the Linux Security Audit Project [lsap.org] in 1998.

I sure feel involved :-)

Crispin
----
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. [wirex.com]
Immunix: [immunix.org] Security Hardened Linux Distribution
Available for purchase [wirex.com]