Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 8 subscribers
  • Views 33818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos code review?

NewImage

After the recent findings of a back door in Dual_EC  surreptitiously included in Juniper's product, I was curious if Sophos has planned any audits for unauthorized code.



This thread was automatically locked due to age.
Parents
  • 0
    Unlike Juniper, which is a closed code system, UTM is 99% based on open source code, so it is constantly audited and reviewed by the open source community.
  • 0 in reply to Scott_Klassen
    Its somewhat of a fallacy to assume that open source projects are being reviewed and audited. It really depends on the governance of each organization/project/component. We cannot assume that an open source project is free of critical defects because its open source; one only has to be reminded of the Heartbleed and Shellshock defects.

    Many companies just use open source to offset development costs. They often take no further measures to attest the authenticity of binaries from open source projects, nor do they take responsibility to verify whether the open source projects is actually safe. I'm not saying Sophos falls under this category, but it isn't exactly forthcoming about its procedures and policies when dealing with open source projects.

    So the question remains. What processes and policies does Sophos employ to review the code?

    I really don't expect this to be answered, since silence is part of operations security.
Reply
  • 0 in reply to Scott_Klassen
    Its somewhat of a fallacy to assume that open source projects are being reviewed and audited. It really depends on the governance of each organization/project/component. We cannot assume that an open source project is free of critical defects because its open source; one only has to be reminded of the Heartbleed and Shellshock defects.

    Many companies just use open source to offset development costs. They often take no further measures to attest the authenticity of binaries from open source projects, nor do they take responsibility to verify whether the open source projects is actually safe. I'm not saying Sophos falls under this category, but it isn't exactly forthcoming about its procedures and policies when dealing with open source projects.

    So the question remains. What processes and policies does Sophos employ to review the code?

    I really don't expect this to be answered, since silence is part of operations security.
Children
No Data