Hi Logan,
On 11/01/2015 01:23 PM, Loganaden Velvindron wrote:
>
> It's not only LUGM. There are *many* companies in Mauritius relying on
> Open Source Software. How many are actually carrying out security
> audits, and discovering those flaws ? The numbers speak for themselves.
>
Are you implying or suggesting that web agencies should employ software
developers that understand the code behind Apache, Nginx, Varnish,
OpenSSL etc? Carrying out a security audit on company's own code is
something and auditing completely different programs written in a
plethora of languages would mean something else. I don't know if those
agencies would have resources to hire someone to develop websites and
dig for security flaws in open source software (like Nginx, OpenSSL etc)
at the same time, unless one of their employees is passionate about such
and the company 'sponsors' some of his/her activities. At most the
company would hire someone who has a sound knowledge of security and can
patch the software the company uses, in a timely manner and with minimal
effort.
Many web agencies rely on Open Source software but security audits
outside their field might not be an everyday business.
I would rather expect that from security-centric companies which in my
opinion are not *many* in Mauritius. A quick search on Google led me to
these two companies in Mauritius that offer "IT Security" services:
-
http://www.tylers.mu/
-
http://www.isysevolution.com/Information_Security.html
> Auditing for security flaw, involves having good knowledge of software
> development, *and* being able to critically analyze code to find a way
> to subvert it. A security expert who cannot understand how unbounded
> string copies leads to buffer overflows is NOT a security expert. Why
> would a security company hire a security engineer who does not
> understand those ?
>
In my answer above I referenced two companies that I found offer "IT
Security" in Mauritius.
I have often seen you posting similar "concerns" on social networks or
your blog but have you ever contacted those companies and asked about
their contribution to Open Source software? What can be done to fix that?
> Discovering a compromised website is one thing. However, going through
> the web application code, and discovering the vulnerable code which
> allows that to happen is what a real security expert would do. Now, how
> to prevent that from happening, by rewriting the code is next step. How
> many people can do that in Mauritius ? I would be happy to one day see
> someone post such an analysis on his blog.
I do not see any security expert, as you say, having a blog in
Mauritius. Are you referring to anyone in particular. Do you expect a
mason to design a building's blueprint and an architect to execute
manual labour?
Would you write to Tylers and ISYS Evolution telling them about your
expectations from Mauritian companies and security experts using Open
Source software?
I am a Sysadmin and I contribute to Open Source software via bug reports
[1][2][3][4][5] as and when I encounter them. Can you advise me in what
other way I may contribute?
>
> As I said, nobody submitted a decent solution for the Heartbleed
> security contest, so in my opinion, there are none in Mauritius.
>
Did you send an invitation to IT Security companies in Mauritius for the
Heartbleed contest that you organized and tell them the results will be
used to index the level of "security-centric knowledge & skills" in
Mauritius.
>
> And what about practical applications of those concepts ? Implement the
> OpenSSL API, in a simple client/server model ?
>
You learned Chemistry in college, right? Did you start making your own
soap or shampoo. A kid who is passionate about Chemistry would surely
try it though, and might be amazed and share his new soap with
like-minded people.
The practical side of things learned in HSC usually is seen if the
student pursues a similar career path or is passionate about the subject.
[1]
https://bugzilla.novell.com/show_bug.cgi?id=841475
[2]
https://bugzilla.novell.com/show_bug.cgi?id=841711
[3]
https://bugzilla.novell.com/show_bug.cgi?id=826325
[4]
https://bugs.launchpad.net/ubuntu/+source/apt-build/+bug/1268120
[5]
https://bugs.launchpad.net/ubuntu/+source/jitsi/+bug/1306901
Regards,
--
Ish Sookun
Received on Sun Nov 01 2015 - 16:24:58 PST