| version 1.21, 1998/02/21 15:49:58 |
version 1.22, 1998/02/21 22:25:36 |
|
|
| |
|
| <p> |
<p> |
| <h3><font color=#e00000><strong>OpenBSD Security Views</strong></font></h3> |
<h3><font color=#e00000><strong>OpenBSD Security Views</strong></font></h3> |
| |
|
| OpenBSD believes in strong security. Our aspiration is to be NUMBER |
OpenBSD believes in strong security. Our aspiration is to be NUMBER |
| ONE in the industry for security. Our open software development model |
ONE in the industry for security (if we are not already there). Our |
| permits us to take a more uncompromising view towards increased |
open software development model permits us to take a more |
| security than Sun, SGI, IBM, HP, or other vendors are able to. We can |
uncompromising view towards increased security than Sun, SGI, IBM, HP, |
| make changes the vendors would not make. Also, since OpenBSD is |
or other vendors are able to. We can make changes the vendors would |
| exported with cryptography software, we are able to take cryptographic |
not make. Also, since OpenBSD is exported with <a href=crypto.html> |
| approaches towards fixing security problems. |
cryptography software</a>, we are able to take cryptographic |
| |
approaches towards fixing security problems.<p> |
| |
|
| <p> |
|
| |
|
| Like most readers of the |
Like most readers of the |
| <a href=http://www.geek-girl.com/bugtraq/index.html> |
<a href=http://www.geek-girl.com/bugtraq/index.html> |
| BUGTRAQ mailing list</a>, |
BUGTRAQ mailing list</a>, |
|
|
| experience shows that coding and release of proper security fixes |
experience shows that coding and release of proper security fixes |
| typically requires about an hour of work resulting in very fast fix |
typically requires about an hour of work resulting in very fast fix |
| turnaround. Thus we think that full disclosure helps the people who |
turnaround. Thus we think that full disclosure helps the people who |
| really care about security. |
really care about security.<p> |
| |
|
| <p> |
|
| |
|
| Our security auditing team typically has between six and twelve |
Our security auditing team typically has between six and twelve |
| members, and most of us continually search for and fix new security |
members, and most of us continually search for and fix new security |
| holes. We have been auditing since the summer of 1997. The process we |
holes. We have been auditing since the summer of 1997. The process we |
|
|
| just about every area of the system. Entire new classes of security |
just about every area of the system. Entire new classes of security |
| problems were found while we were doing the audit, and in many cases |
problems were found while we were doing the audit, and in many cases |
| source code which had been audited earlier had to be re-audited with |
source code which had been audited earlier had to be re-audited with |
| these new flaws in mind. |
these new flaws in mind.<p> |
| |
|
| <p> |
|
| Another facet of our security auditing process is it's proactiveness. |
Another facet of our security auditing process is it's proactiveness. |
| In almost all cases we have found that the determination of |
In almost all cases we have found that the determination of |
| exploitability is not an issue. During our auditing process we find |
exploitability is not an issue. During our auditing process we find |
![[BACK]](/icons/back.gif){kind=icon}
Return to security.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www