Slashdot Mirror

← Back to Stories (view on slashdot.org)

Does Open Source Need a Red Team?

Posted by Cliff on from the stuff-to-discuss dept.

garyebickford writes "IMHO the Open Source community (whatever that is) needs a Red Team project. This would be an open source project, but its output would be a process rather than a piece of software. If such a group exists, I'm not aware of it. This document and this page [from the Google cache] are from a commercial company (picked at random from a Google search) that provides similar services. The OS Red Team would provide 3rd party security testing, code review and evaluation for open source projects prior to release, providing a 'report card' stating what has been reviewed and tested, and recommending fixes. When a package is released, the Team's 'weather report' stating the probabilities that a package would survive different kinds of attack would be a valuable piece of information for prospective users." Do you think the Open Source Community would benefit from such an effort?

"The Team could also provide a set of recommended processes and tools for O.S. projects to follow prior to submission to the Red Team test queue. This by itself would be a valuable tool.

Such teams are sometimes used by companies to test the security of their networks and software. The O.S. community have done an excellent job so far, but as open source is used more and more by the mainstream computer users, vetting by a 3rd party would help make many organizations more likely to accept a piece of O.S. software.

The Team would, like any open source project, be comprised of both experts and newbies. The newbies would have the opportunity of doing real testing under the guidance of folks who know more, thereby becoming more expert themselves. The experts would provide a centralized open-source-oriented set of recommendations and specialized review as needed.

Either the Red Team or its members could also provide paid services for commercial software, and could participate with university CS departments in training students, providing the opportunity for valuable cross-training between schools. It might even be possible to arrange course credit for work on the Team.

Many Open Source projects could benefit from such a 3rd party group to recommend development procedures, code styles, and actual testing to teach and motivate better security practices in code design. The plain fact is that many (most?) of us developers are not completely 'up' on the issue of security - it's a very dynamic area of specialization. This initiative could be another resource that will be useful in establishing OS in the mainstream."

3 of 49 comments (clear)

  1. Dollar continues to decline against the Euro by EuroTroll · · Score: 0, Offtopic
    Have you noticed that the dollar hasn't been doing very well against the euro?

    You might want to check out this chart and see for yourself.

    1. Re:Dollar continues to decline against the Euro by Captain+Pedantic · · Score: 0, Offtopic

      Stroke of genius by Bush &co.

      A devalued dollar will really help US exports and therefore the economy, but at the same time it will be the Tax cuts which take the credit. Of course, the Keynesian method of pumping Iraqi oil money into US companies will also help, but again this essentially left wing economic policy will be ignored and the right wing trickle down policy will look like it saved the day.

      The icing on the cake, however, is in making USians too afraid to travel abroad, therefore they will be oblivious to the negative effect of the weak dollar.

      --

      None are more hopelessly enslaved than those who falsely believe they are free. Johann Wolfgang von Goethe.
  2. The obvious answer is... by melete · · Score: 1, Offtopic

    Hmmm....OpenBSD, anyone?