Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 8 subscribers
  • Views 33816 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos code review?

NewImage

After the recent findings of a back door in Dual_EC  surreptitiously included in Juniper's product, I was curious if Sophos has planned any audits for unauthorized code.



This thread was automatically locked due to age.
  • 0
    Unlike Juniper, which is a closed code system, UTM is 99% based on open source code, so it is constantly audited and reviewed by the open source community.
  • 0
    not really 99% but mostly open source. The webadmin and http proxy/application control/ webfiltering/a/v do NOT use opensource code and that's the biggest functionality block of the utm
  • 0
    Well, the web filtering, although portions were re-coded in house, was based on Squid. :)
  • 0 in reply to Scott_Klassen
    not anymore it is 100% proprietary...let's say i have had some in depth conversations about this one..:)
  • 0 in reply to Scott_Klassen
    Its somewhat of a fallacy to assume that open source projects are being reviewed and audited. It really depends on the governance of each organization/project/component. We cannot assume that an open source project is free of critical defects because its open source; one only has to be reminded of the Heartbleed and Shellshock defects.

    Many companies just use open source to offset development costs. They often take no further measures to attest the authenticity of binaries from open source projects, nor do they take responsibility to verify whether the open source projects is actually safe. I'm not saying Sophos falls under this category, but it isn't exactly forthcoming about its procedures and policies when dealing with open source projects.

    So the question remains. What processes and policies does Sophos employ to review the code?

    I really don't expect this to be answered, since silence is part of operations security.
  • 0
    Very nicely said Bloudraak

    "Its somewhat of a fallacy to assume that open source projects are being reviewed and audited" Agreed, but many of the open source packages that UTM uses have extremely good governance, as they also have a very widely used commercial branch. Those that are purely free, are so ubiquitous within the linux world that they must be reviewed and updated frequently or risk being dropped by the distros that use them, which are used by governmental entities, banks, etc.

    We are of course also making an assumptive leap about code reviews. Let's take Juniper for example. They have stated that they're doing a code review in order to put their customers minds at ease after the recent issue. Will they put 1000 of the best programmers and code security auditors in the world on it, using the greatest debuggers and software auditing tools ever created, or do they put Bubba who just created his first "Hello World" together 2 months ago on it. We just don't know.

    There is only one guarentee, that requires no assumptions. There will still be bugs and vulnerabilities in code that no one has either thought to exploit yet... or is willing to.

    This was fun.

    ....and you are correct that it can't be stated to the public, but suffice it to say that Sophos does have a vetting process for its' code. :)
  • 0 in reply to Scott_Klassen
    Do you have a reference where Sophos publishes which OSS components they use in the UTM? This thread seems to disagree on the matter.
  • 0

    Sophos doesn't publish a list for public consumption.  This thread disagrees on what open source components are used?  I'm a bit confused by that.

  • 0 in reply to Scott_Klassen
    There was a difference of opinion between you and William on whether components were based on Squid.

    So there is not even a list for paid customers? If that is true, the Sophos UTM is pretty much a closed system. And for me, as a paying customer, your answer doesn't really answer the original question.
  • 0

    You sure are tenacious for someone who said "I really don't expect this to be answered". lol

    William and I may have our occasional disagreements on things, but after 10-odd years on the forums together, there's still respect. He knows more about some things than I do (like about the latest CPU that came out 2 minutes ago) and vice-versa. Nobody is an expert on everything. That's why this user to user forum is a community. Different views, ideas, theories, and information are part and parcel. About the banter with William. Firstly, the OP wasn't asking about functional components, which William misunderstood, we were talking about the actual code base, which is a very different thing. Secondly, he may have forgotten that my info doesn't come 2nd hand, I have seen and reviewed the base code for the web proxy, and we'll leave it at that. There are large portions that were written from scratch in-house, more now with the last couple of v9 major versions, but large pieces were also used from/based on code from Squid, and of course it still uses some linux standard runtime libraries to function. It's a hybrid, like other components such as App Control, some in-house, some from elsewhere. A/V of course is not open source, but commercial. WebAdmin is a proprietary locally hosted script based web site, that also uses open-source components to do its' thing.

    "So there is not even a list for paid customers? If that is true, the Sophos UTM is pretty much a closed system." Not true, you can enter the shell and look around to see what's in there. Don't change anything or, as a paying customer, you will violate your support agreement, per the warning at the shell. Sophos doesn't actively hide what's in there. The base distro is SUSE, SSL VPN is OpenVPN, DNS is Bind, IPS is Snort, WAF is ModSecurity, and so on. Each of those named has been mentioned dozens if not hundreds of times on the forums. With the exception of the "big boys", it is extremely common in the software world to license code/programs from 3rd party vendors and not overtly document this to the public. In this specific market segment, Sonicwall (Dell), Watchguard, Checkpoint, etc. all do this. Even if they don't license complete products/applications/modules, many companies, including Cisco and Juniper, will have 3rd party companies code some new feature sections of their products because they do not have the internal experience/resources in those areas to do it themselves. Of course those companies tend to eventually buy out their vendors. :) As a paid user, you do have the ability to open up a case with Support to request a complete list of all software in the UTM that was not coded 100% by Sophos. Whether you'll get it or not is another story.

    "And for me, as a paying customer,..." Paid license or home license, everyone has equal importance and value on these user-to-user forums. I've spent 60 seconds helping someone who I know is a large enterprise customer with multiple top tier appliances (and the licensing subscriptions that go with it) and I've spent hours real-time doing replication tests to solve an issue for a free home user.

    "...your answer doesn't really answer the original question." As mentioned previously, Sophos does have a code vetting process for its' code. What hasn't been said is that Sophos does work closely with many of the component suppliers, both commercial and open source to ensure that both existing and potential issues are resolved. These are things that are constant and ongoing, not a knee-jerk reaction to the fallout for a competitor having not followed secure coding practices for a significant period of time. Sophos is a security company, not just a firewall vendor.

    We've really beat this one to death Bloudraak. Hopefully this has allayed your fears and concerns. If you want to attempt to get more detailed information, you'll need to go through the official communication channels to Sophos for paid licensees. Either via your reseller or via a support case.