> Most all major corporations throughout the world are using code without
> auditing it themselves, and this includes OSSS.

Most major corporations are regularly exploited externally and
internally on a regular basis because of insufficient security measures at
the application, OS, and hardware level to secure their own data. Just
because it doesn't make it to 'news.com' doesn't mean it isn't happening.
I've dealt with this dozens of times at a previous job at a very large
proprietary pharmeceutical company.

Nobody is advocating making the code "free", or publically
accessible. I said "open", which means access to it should be available.
Whether that access is through NDAs, or other methods that do not require
restrictive licensing, that's all that matters.

> See http://news.com.com/2100-1001-830130.html, where you will discover
> that "...the programs are getting audited a lot less than people think".

A moot point. Nimda is still pounding machines across the internet
every single day. I get 30-50 new hosts _IN MY SUBNET_ a week. How long ago
were people told to patch their machines against this? 7 months?

Auditing seems to happen when a problem is found, not when an
application is designed. This is 2002, and it's time to start thinking about
scalable, secure, distributed applications. You can't put security in a
black box anymore. Everyone's learned their lessons already by getting
burned by companies like Microsoft, Oracle, and others.

> For example, Sendmail has been open source for 20 years, and people have
> found more vulnerabilities in it every year of that 20 years.

Security is a process, not a program.

That being said, sendmail is developed by a company, with employees
and an agenda. Just because I find a hole, or an exploitable section of
code, and report it, is no guarantee that _ANYTHING_ will be done about it
(witness any of the hundreds of still-open holes in that OS from our friends
in Redmond)

My point is that auditing ensures data security more than "assuming"
that an application is secure. Everyone should be learning their lessons now
after getting burned by all the "spyware" in applications these days from
RealPlayer, Windows Media Player, :CueCat, and others.



/d



--
For information on using the Palm Developer Forums, or to unsubscribe, please
see http://www.palmos.com/dev/tech/support/forums/