Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 8 subscribers
  • Views 33818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos code review?

NewImage

After the recent findings of a back door in Dual_EC  surreptitiously included in Juniper's product, I was curious if Sophos has planned any audits for unauthorized code.



This thread was automatically locked due to age.
Parents
  • 0
    Very nicely said Bloudraak

    "Its somewhat of a fallacy to assume that open source projects are being reviewed and audited" Agreed, but many of the open source packages that UTM uses have extremely good governance, as they also have a very widely used commercial branch. Those that are purely free, are so ubiquitous within the linux world that they must be reviewed and updated frequently or risk being dropped by the distros that use them, which are used by governmental entities, banks, etc.

    We are of course also making an assumptive leap about code reviews. Let's take Juniper for example. They have stated that they're doing a code review in order to put their customers minds at ease after the recent issue. Will they put 1000 of the best programmers and code security auditors in the world on it, using the greatest debuggers and software auditing tools ever created, or do they put Bubba who just created his first "Hello World" together 2 months ago on it. We just don't know.

    There is only one guarentee, that requires no assumptions. There will still be bugs and vulnerabilities in code that no one has either thought to exploit yet... or is willing to.

    This was fun.

    ....and you are correct that it can't be stated to the public, but suffice it to say that Sophos does have a vetting process for its' code. :)
Reply
  • 0
    Very nicely said Bloudraak

    "Its somewhat of a fallacy to assume that open source projects are being reviewed and audited" Agreed, but many of the open source packages that UTM uses have extremely good governance, as they also have a very widely used commercial branch. Those that are purely free, are so ubiquitous within the linux world that they must be reviewed and updated frequently or risk being dropped by the distros that use them, which are used by governmental entities, banks, etc.

    We are of course also making an assumptive leap about code reviews. Let's take Juniper for example. They have stated that they're doing a code review in order to put their customers minds at ease after the recent issue. Will they put 1000 of the best programmers and code security auditors in the world on it, using the greatest debuggers and software auditing tools ever created, or do they put Bubba who just created his first "Hello World" together 2 months ago on it. We just don't know.

    There is only one guarentee, that requires no assumptions. There will still be bugs and vulnerabilities in code that no one has either thought to exploit yet... or is willing to.

    This was fun.

    ....and you are correct that it can't be stated to the public, but suffice it to say that Sophos does have a vetting process for its' code. :)
Children
  • 0 in reply to Scott_Klassen
    Do you have a reference where Sophos publishes which OSS components they use in the UTM? This thread seems to disagree on the matter.
  • 0 in reply to bloudraak

    Have you (everyone and anyone) acquired the relevant GPL, and similar, source code from Sophos?

    It would be appreciated if someone would ask about the OSS components and code, through official channels, and share the official answer.  Multiple asks can useful for consistency checks in answers and encouraging clearer documentation.

    # less /doc/utm-3rd-party-licenses.txt

    RPM package name/version/release/arch and license, sorted by license:

    # rpm -qa --qf "%{name}-%{version}-%{release}.%{arch}\t%{license}\n" | sort -k2