Subject: Re: reviewing code
From: Ben Laurie <ben@algroup.co.uk>
Date: Fri, 30 Aug 2002 13:41:20 +0100

Harald Koch wrote:
> Of all the gin joints in all the towns in all the world, Ben Laurie
> had to walk into mine and say:
> 
>>Forrest J. Cavalier III wrote:
>>
>>>To answer your direct question, I did look carefully at SSLeay
>>>(before it became OpenSSL) and it looked pretty "well-done"
>>>to me.
>>
>>Ahem. Of the three remote exploits I reported recently, two were from 
>>the original code and one from contributed code (for Kerberos).
> 
> 
> Which just goes to prove that code reviews don't matter much when it
> comes to security exploits. How many pairs of eyes have looked over that
> source code over the years? Three popular, and theoretically
> trustworthy, software packages have all recently had security alerts (I
> speak of SSH, Apache, and OpenSSL). Does this mean we can't trust
> trusted software? I don't think so...

I have no idea, but I can say that I didn't do a security review until I 
was paid to do so - it is far too much work to do for fun.

FWIW, my review isn't complete yet, either, so watch this space!

> (ObFsb: There's a viable business in deployment of the code fixes when
> they're announced :-).

I completely agree - we already do it for clients in the Bunker, but I 
see no reason it couldn't be expanded to a wider audience.

Cheers,

Ben.


-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

Available for contract work.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff