For what it is worth, I'm an "official" CISSP and based on the test I can tell you that CISSP != TRUTH in many cases. This is part of the issue in DoD. Misunderstandings of OSS. Many folks get
this sort of tripe without questioning the wisdom. I frankly want to be able to
look under the hood if I need to. Not having this option inherently
creates risk.<br>
<br>Here is a good resource on security and open source if you guys care:<br><a href="http://www.dwheeler.com/oss_fs_why.html">http://www.dwheeler.com/oss_fs_why.html</a><br><br><br>-Josh<br><br><div class="gmail_quote">
On Fri, Oct 22, 2010 at 7:36 AM, George Allen <span dir="ltr"><<a href="mailto:glallen01@gmail.com">glallen01@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I'm taking a CISSP course this week, and unfortunately have to miss<br>
the selinux presentation because of it. But it's pretty amazing the<br>
bias against opensource built into the course. It even involves a bit<br>
of dissonance: nmap, tripwire, nessus, backtrack all these tools are<br>
open-source, but the same people talk about "Open-source code gives<br>
false security, just because more people can look at the code doesn't<br>
mean someone will write a vulnerability into it. Or that someone will<br>
find a vulnerability and not say anything until after they exploit<br>
it."<br>
<br>
At this point I piped up to say "Doesn't what you just said violate<br>
Kerckhoff's principle that you just talked about - that a<br>
cryptographic algorithm should derive it's security from the key, not<br>
from the secrecy of the algorithm? Then how can you say publishing an<br>
algorithm leads to security with cryptology, and then violates<br>
security with software at large?"<br>
<br>
He didn't really address it.<br>
<br>
Still, I think the perception is that opensource is made up of random<br>
patches from any kid drinking mountain dew in their mom's basement.<br>
And they don't realize that there's a whole system which actually<br>
rejects many patches, and does levels of quality control on both<br>
incoming and included patches. Maybe this is one thing the advocates<br>
also need to emphasize is that linux is developed with a process and<br>
albiet with the 'bazaar' it's not flat out anarchy.<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Joshua L. Davis<br>678.831.0182<br>