Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Software IT Technology

Is Code Auditing of Open Source Apps Necessary? 108

Posted by CmdrTaco from the but-I-thought-there-were-no-bugs dept.
An anonymous reader writes "Following Sun Microsystems' decision to release a raft of open source applications to support its secure cloud computing strategy, companies may be wondering if they should conduct security tests of their customized open source software before deployment. While the use of encryption and VPNs to extend a secure bridge between a company IT resource and a private cloud facility is very positive — especially now that Amazon is beta testing its pay-as-you-go private cloud facility — it's important that the underlying application code is also secure. What do you think?"
This discussion has been archived. No new comments can be posted.

Is Code Auditing of Open Source Apps Necessary? More

Is Code Auditing of Open Source Apps Necessary?

Comments Filter:

  • OpenBSD (Score:2, Informative)

    by Anonymous Coward on Wednesday December 23, 2009 @12:47PM (#30536248)

    OpenBSD does code audits. All security-sensitive applications should be, if not by the developers, by the people deploying them, if they have the resources.

  • Re:Yes. (Score:1, Informative)

    by Anonymous Coward on Wednesday December 23, 2009 @02:46PM (#30537518)

    Code review of **every line** is best practice. That's independent, desk check style code reviews. The reviewer needs to feel they could put their name on the code, or start writing action. Any questions need to be addressed prior to the sit-down review with an uninterested moderator. Any burning questions that were not answered to everyone's satisfaction, need to be researched until there aren't any more "I don't understand" that section of code.

  • Re:Flip the question. (Score:3, Informative)

    by Kjella ( 173770 ) on Wednesday December 23, 2009 @03:22PM (#30537872) Homepage

    IANAL, but that clause would be trivial to toss out

    Lawyer: "I'm not a software developer, but it's trivial to use that java library in a C# application"

    That's about how many orders of wrong you are here. I also play my share of lawyer on slashdot, but I know how to read cornell.edu - and it's amazing how much better the discussion would be if most people had - but I also know when to STFU and not make a fool out of myself. Like in this case UCC 2-316. Exclusion or Modification of Warranties. [cornell.edu] which quite clearly states that you can exclude any implied warranty of fitness or merchantability. You may get around that if you prove the disclaimers are unconscionable, but that's a tall order and not in any case trivial. Maybe for things that are more malice or fraud than incompetence, or in case of personal injury which is why software often explicitly exclude any such use.

Slashdot Top Deals

When bad men combine, the good must associate; else they will fall one by one, an unpitied sacrifice in a contemptible struggle. - Edmund Burke

Close