version 1.21, 1998/02/21 15:49:58 |
version 1.22, 1998/02/21 22:25:36 |
|
|
|
|
<p> |
<p> |
<h3><font color=#e00000><strong>OpenBSD Security Views</strong></font></h3> |
<h3><font color=#e00000><strong>OpenBSD Security Views</strong></font></h3> |
|
|
OpenBSD believes in strong security. Our aspiration is to be NUMBER |
OpenBSD believes in strong security. Our aspiration is to be NUMBER |
ONE in the industry for security. Our open software development model |
ONE in the industry for security (if we are not already there). Our |
permits us to take a more uncompromising view towards increased |
open software development model permits us to take a more |
security than Sun, SGI, IBM, HP, or other vendors are able to. We can |
uncompromising view towards increased security than Sun, SGI, IBM, HP, |
make changes the vendors would not make. Also, since OpenBSD is |
or other vendors are able to. We can make changes the vendors would |
exported with cryptography software, we are able to take cryptographic |
not make. Also, since OpenBSD is exported with <a href=crypto.html> |
approaches towards fixing security problems. |
cryptography software</a>, we are able to take cryptographic |
|
approaches towards fixing security problems.<p> |
|
|
<p> |
|
|
|
Like most readers of the |
Like most readers of the |
<a href=http://www.geek-girl.com/bugtraq/index.html> |
<a href=http://www.geek-girl.com/bugtraq/index.html> |
BUGTRAQ mailing list</a>, |
BUGTRAQ mailing list</a>, |
|
|
experience shows that coding and release of proper security fixes |
experience shows that coding and release of proper security fixes |
typically requires about an hour of work resulting in very fast fix |
typically requires about an hour of work resulting in very fast fix |
turnaround. Thus we think that full disclosure helps the people who |
turnaround. Thus we think that full disclosure helps the people who |
really care about security. |
really care about security.<p> |
|
|
<p> |
|
|
|
Our security auditing team typically has between six and twelve |
Our security auditing team typically has between six and twelve |
members, and most of us continually search for and fix new security |
members, and most of us continually search for and fix new security |
holes. We have been auditing since the summer of 1997. The process we |
holes. We have been auditing since the summer of 1997. The process we |
|
|
just about every area of the system. Entire new classes of security |
just about every area of the system. Entire new classes of security |
problems were found while we were doing the audit, and in many cases |
problems were found while we were doing the audit, and in many cases |
source code which had been audited earlier had to be re-audited with |
source code which had been audited earlier had to be re-audited with |
these new flaws in mind. |
these new flaws in mind.<p> |
|
|
<p> |
|
Another facet of our security auditing process is it's proactiveness. |
Another facet of our security auditing process is it's proactiveness. |
In almost all cases we have found that the determination of |
In almost all cases we have found that the determination of |
exploitability is not an issue. During our auditing process we find |
exploitability is not an issue. During our auditing process we find |