Subject: Re: Microsoft: Closed source is more secure
From: "Jonathan S. Shapiro" <shap@eros-os.org>
Date: Mon, 7 May 2001 05:01:31 -0400

> On Thursday 03 May 2001 23:08, Stephen J. Turnbull wrote:
> >     Lynn> I should be familiar with every line of source code for
> >     Lynn> every package I run on the systems I maintain.  I should put
> >     Lynn> security absolutely above features.

This is, of course, infeasible, which is why assurance standards are
important.

As a practical matter, the best one can realistically do is divide the load
of reading everything across some mid-sized number of groups, having each
code examined more than once for the sake of a cross check, and then use the
software that comes up "clean".

The purpose of assurance standards is to let us agree about what "examine"
means. If you say to me: "I have looked at the code and found it good." I
don't know very much. If you say to me "I have looked at the code and
examined it using this process that we both understand, and evaluated it in
a rigorous and orderly way according to the following criteria" then
(provided I respect your competence) we both know within some acceptably
small margin of error what examination has actually been done.

Things like Common Criteria may, of course, be inadequate standards. There
are certainly issues requiring examination that CC doesn't address. I know
of a number in the Open Source context. Still, it is a useful and widely
understood starting point for an assurance model.

Jonathan