http://qs1969.pair.com?node_id=148124

I have just come across a great implementation of Open Source and security. Ideahamster.org has taken security practices in general and security in relation to programming and brought these practices out in the open to peer review. These practices have been combined into workable standards for administrators and programmers.

The project is run by a former IBM Network Security Auditor (White Hat Hacker), who was running into roadblocks when discussing security strategies with other companies. This project seems to have sprouted from the idea that security, as a whole, will only be achieved if everyone combines their resources. This philosophy unfortunately is not accepted as a sound idea by most PHB's, so it was moved a more beneficial environment Open Source

The Secure Programming Standards Methodology Manual is a pre-release version (V.90) of a complete secure programming standard (only available HTML right now). It is language independent and very close completion. It covers many areas including: Logging, Stack Smashing, Remote Compromise, Output, … but it still needs more input. I would highly recommend this as a read if you have ever thought about contributing to an Open Source project or have ever been concerned about the security of your programs.

Ideahamster.org has also released it’s The Open Source Security Testing Methodology Manual V2 preview release 6 for review (PDF or HTML). It is a fully comprehensive security plan for any company (e.g. small, large or in-between), which can be implemented by 1 or 100 people.

Quoted from the Introduction:
“Introduction This manual is a definitive standard for unpriviledged security testing in any environment from the outside to the inside. This focus requires that the tester has no special access point or permission different from that which is shared with the general public. The concept of this manual has and always will be to create one accepted method for performing a thorough security test. Regardless of the credentials of the security tester, the size of the security firm, financing, or vendor backing, any network or security expert who meets the outline requirements in this manual is said to have completed a successful security scattershot. This does not mean one cannot perform a test faster, more in depth, or of a different flavor. The tester following the methodology within this manual is said to have followed the standard model and therefore if nothing else, has been thorough. In doing so, the tester still must report the results of all modules and tasks fulfilled to include OSSTMM certification in a report.”



grep
grep> grep clue /home/users/*

Replies are listed 'Best First'.
(redmist) Re: Security Standards
by redmist (Deacon) on Feb 28, 2002 at 21:04 UTC

    This is muy useful! A standard methodology for secure programming is a good idea, so long as the recommendations contained in it are general enough (and tried and true) as to minimize the chance of a widespread secure programming practice becoming vulnerable. (For example, if someone improperly advised other programmers to check input (e.g. to avoid buffer overflows) incorrectly, and all implementations of a "secure" practice were comprimised.)

    At any rate, this looks very useful, and (hopefully) effective.

    redmist
    Purple Monkey Dishwasher
Re: Security Standards
by PixelRat (Sexton) on Mar 29, 2002 at 19:20 UTC