|
Data Security Viruses, Firewalls and Safe computing |
![]() |
| LinkBack | Thread Tools | Rate Thread |
| ||||
How to uncover hidden PC activity How to monitor what your PC is really doing. See front page: http://www.aoaforums.com/frontpage/c...-activity.html Comments?
__________________ |
| |||
Windows is orders of magnitude better than it used to be, that is for sure! In fact, there are some features now that I've not seen deployed on any other OS yet - for example, MS have made attempts to mitigate ROP (return orientated programming) attacks. Now this may not be entirely successful, but until DEP (data execution prevention - also known as non-executable pages) and ASLR (address space layout randomisation), ROP was unheard of because attackers didn't need to jump through such hoops. In terms of code quality, unfortunately Open Source has been found to be poorer than closed source. Veracode have done some interesting work in this area. Disclaimer - I used to work with some of the Veracode guys whilst they were @stake, hence I have some level of respect for them. Veracode do code analysis to identify where there's potential issues within the code. I've attached a couple of images - the first is web apps that meet the OWASP Top 10 on first submission. The second is apps that meet CWE/SANS top 25 on first submission. Note that Open Source code comes out worse in terms of compliance! Also note that web app code generally does worse than non-web app. The report this was pulled from is Veracode's State of Software Security Report Volume 4.
__________________ Last edited by Aedan; 24th May, 2012 at 10:12 AM. |
| ||||
Interesting. Equally interesting is that applications developed in-house perform better (especially on the CWE/SANS top 25) than both commercial and open source submissions. With respect to those graphs, there's no way to determine the relative complexity of the applications, the size of the team working on them and the average experience of the programmers. I suspect that a lot of the differences between the in-house application and the open-source application is that (I'm assuming here) the in-house application is developed by a small team of competent programmers with a solid plan and strong management, whereas the open source project may be developed by a huge team of unknown quantities, with a fag-packet plan and volunteer management.
__________________ It is by coffee alone I set my mind in motion... |
| ||||
Well yeah but that's everyone else's Linux, My Linux be good my Linux be pure! My Linux achives this by being FREE! ":O} K. makes some interstining points as far as whose doing the work and under what circumstance... Did they look across all Linux distro's, were there any exceptions amoung the "older, more established" distros?
__________________ "Though all men live in ignorance before mystery, they need not live in darkness... Justice is foundation and Mercy ETERNAL." DKE "All that we do is touched by Ocean Yet we remain on the shore of what we know." Richard Wilbur [img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img] Subscribers! Ask Pitch about a Custom Sig Graphic |
| ||||
I took it that the graph was per-application, so it would be testing against, say, Evolution or Firefox, instead of testing against every executable in a given distro. Also "open source" can include open-source Windows applications, of which there are many.
__________________ It is by coffee alone I set my mind in motion... |
| ||||
Still good to hear MS has change... ( Was that to bitter? ":O}
__________________ "Though all men live in ignorance before mystery, they need not live in darkness... Justice is foundation and Mercy ETERNAL." DKE "All that we do is touched by Ocean Yet we remain on the shore of what we know." Richard Wilbur [img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img] Subscribers! Ask Pitch about a Custom Sig Graphic |
| |||
It is per application. The applications are examined on the basis of paid engagements. IE, each of those apps has had someone willing to pay for them to be examined. The open sources ones are probably because they're part of a larger application which uses some open source components.
__________________ |
| ||||
I'm not sure I'm understanding you rightly Aedan...I don't pay for apps any more....scratch that! I still use Acronis, bought it while still using win doze for backup, works OK with Linux, but I digress... With most Linux apps free...how's this a true comparison, when only paid for apps are benched? I must be missing a few pieces here?
__________________ "Though all men live in ignorance before mystery, they need not live in darkness... Justice is foundation and Mercy ETERNAL." DKE "All that we do is touched by Ocean Yet we remain on the shore of what we know." Richard Wilbur [img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img] Subscribers! Ask Pitch about a Custom Sig Graphic |
| ||||
It's nothing to do with whether the applications are free to the end user or not: Veracode are doing some complicated, specialist analysis and their time and expertise don't come for free. The developers pay to have their code analysed. If open source components are used in commercial applications, it's reasonable that the commercial developer, knowing that their security is only as good as their weakest compolnent, will pay to have open source code validated.
__________________ It is by coffee alone I set my mind in motion... |
| ||||
Ok now I get you guys, I was on a completely different page! Thanks K.
__________________ "Though all men live in ignorance before mystery, they need not live in darkness... Justice is foundation and Mercy ETERNAL." DKE "All that we do is touched by Ocean Yet we remain on the shore of what we know." Richard Wilbur [img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img] Subscribers! Ask Pitch about a Custom Sig Graphic |
![]() |
Tags |
windows |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Rate This Thread | |
| |
![]() | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Gmail now warns users of suspicious account activity | Daniel ~ | Data Security | 0 | 24th March, 2010 07:30 PM |
Suspicious Activity !!!!!!!! | Southern Man | Mookydooky's Just for laughs! | 5 | 27th August, 2004 06:29 PM |
8KDA3J and HD activity/power lights | JGF | EPoX MotherBoards | 4 | 21st July, 2004 07:39 AM |