Free Newsletters

   All InfoWorld Newsletters

MORE ENTRIES
Open Sources | Rodrigues & Urlocker » Security Expert on Open Source: Part 3

July 27, 2005 | Comments: (0)

Security Expert on Open Source: Part 3

TAGS: Open Source

Continuing my discussion with Doug Barbin from Verisign...

Is there a security or networking product that you think could benefit from an open source-esque model--for example, in many ways Snort is so successful because the community helps to test the rules.

I've actually seen this to a degree in the forensics community. EnCase, who is by far the leader in this space, has opened up its own imaging tool publishing how the tool does its imaging. Specifically, its uses small chunks of data that are each hashed using a cryptographic checksum. The advantage of this is that if there was a problem with an image (or a bad sector on a drive that could not be copied) you would be able to identify which small amount of data that was and know that the rest of the image was exactly the same as the source drive. The perceived disadvantage is that this is not a bit for bit image (because you are adding checksums to it). EnCase has countered this by 1) supporting dd images in their analytical tool (which they did over 4 years ago) and 2) making detail available on how their imaging tool works so that it can be validated.

I think one are that could use some help is vulnerability scanning. Now this is a tool where the open source community participates in actively so it doesn't need to be more open per se. However, the challenge I've seen comes back to accountability for the signatures. There is the issue of timeliness, which I addressed above. There is also the issue of confidence. "Confidence" is knowing how accurate your scanning signature is or more specifically, how often it will yield a false positive. I think the open source community does a great job of publishing new signatures, but we could probably do a lot more to study and rate the confidence of our signatures so that you know if you scan for a certain MS vulnerability, 90% of the time the nessus result has been accurate or vice versa where 90% of the time it is a false positive. Commercial vendors do this, and charge for it.
Intrusion prevention is probably an area that could be more open. We still see challenges in network IPS or IDP (Intrusion Detection and Prevention) in that customers are worried that a false positive will create a denial of service condition.

Note: Opinions expressed are those of Doug Barbin and not reflective of Verisign

Posted by Dave Rosenberg on July 27, 2005 08:12 AM


RATE THIS ARTICLE:





 

  •  
  • COMMENTS



Microsoft Mini Spotlight
  • Get Started
  • Port 25 Blogs
  • OSS News
  • Join a Project

{Open Source} Heroes Happen Here

Start today and order your own Hero Hack Pack – which includes Getting Started with Open Source, Windows Server 2008 and Visual Studio 2008 Trial. Each pack is a chance to win a free pass to OSCON 2008.



 

TOP STORIES

 


 

ADDITIONAL RESOURCES

 

 


Technology White Papers

 

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert
Find out when the latest white paper is available:
 
 
» BUY A LINK NOW

Sponsored Technology Links

Copyright © 2007, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service.
All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses,
phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.