[ale] CISSP != happy + OSS
Joshua L. Davis
simplehuman at gmail.com
Fri Oct 22 11:29:10 EDT 2010
For what it is worth, I'm an "official" CISSP and based on the test I can
tell you that CISSP != TRUTH in many cases. This is part of the issue in
DoD. Misunderstandings of OSS. Many folks get this sort of tripe without
questioning the wisdom. I frankly want to be able to look under the hood if
I need to. Not having this option inherently creates risk.
Here is a good resource on security and open source if you guys care:
http://www.dwheeler.com/oss_fs_why.html
-Josh
On Fri, Oct 22, 2010 at 7:36 AM, George Allen <glallen01 at gmail.com> wrote:
> I'm taking a CISSP course this week, and unfortunately have to miss
> the selinux presentation because of it. But it's pretty amazing the
> bias against opensource built into the course. It even involves a bit
> of dissonance: nmap, tripwire, nessus, backtrack all these tools are
> open-source, but the same people talk about "Open-source code gives
> false security, just because more people can look at the code doesn't
> mean someone will write a vulnerability into it. Or that someone will
> find a vulnerability and not say anything until after they exploit
> it."
>
> At this point I piped up to say "Doesn't what you just said violate
> Kerckhoff's principle that you just talked about - that a
> cryptographic algorithm should derive it's security from the key, not
> from the secrecy of the algorithm? Then how can you say publishing an
> algorithm leads to security with cryptology, and then violates
> security with software at large?"
>
> He didn't really address it.
>
> Still, I think the perception is that opensource is made up of random
> patches from any kid drinking mountain dew in their mom's basement.
> And they don't realize that there's a whole system which actually
> rejects many patches, and does levels of quality control on both
> incoming and included patches. Maybe this is one thing the advocates
> also need to emphasize is that linux is developed with a process and
> albiet with the 'bazaar' it's not flat out anarchy.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
--
Joshua L. Davis
678.831.0182
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101022/c06d0df3/attachment.html
More information about the Ale
mailing list