[Discuss] NAS: encryption
Richard Pieri
richard.pieri at gmail.com
Wed Jul 8 16:13:09 EDT 2015
On 7/8/2015 3:19 PM, Chuck Anderson wrote:
> Sorry, I call BS. My point was that having access to source code is a
> prerequisite. If you don't have access to the source code, it becomes
> MUCH harder to audit because you are limited in the techniques you can
> use, such as black box testing. If you have source code, you can read
> the code and try to understand what it is doing.
This is why I say you don't have the qualifications. Access to the
source code isn't worth nearly as much as you seem to think it is. There
are classes of vulnerabilities like insecure compiler optimizations that
are impossible to detect by examining the source code even when you do
understand what the code is supposed to do. On the other hand, no-source
techniques like black box testing work whether or not you have the
source. This is why my answer to your next question is...
> And do you think we would know about those instances if the
> code/standards were closed?
... yes, we would.
--
Rich P.
More information about the Discuss
mailing list