“Sardonix has conceded that the project has largely been a
failure, putting open-source security auditing back on the drawing
board.“The Sardonix project was born from the successes and eventual
failure of the Linux Security Auditing Project (LSAP). Through it’s
design Sardonix encouraged the use of an OpenBSD-style software
auditing process. This process involves researchers auditing
software packages on a file-by-file basis. The purpose of the audit
is to look for and locate basic programming errors that may or may
not have software security implications. When the audit by one
researcher has been completed, the next researcher initiates an
audit of the software using the same process.“Sardonix’s innovation was to create a hall of fame for security
researchers, acting as a long-lasting and credible forum from which
members could prove that they do in fact possess security auditing
skills. The proof would come in the form of a rating system that
gives the auditor a higher rating if subsequent audits proved he or
she located all the bugs in the code reviewed, and gives the
auditor a lower rating if other audits located bugs the researcher
had overlooked…”
SecurityFocus: Why Sardonix Failed
By
Get the Free Newsletter!
Subscribe to Developer Insider for top news, trends, & analysis