Report message:*
 

Re: we need to integrate new password algorhythm ASAP

Subject: Re: we need to integrate new password algorhythm ASAP
by Zaphod on 2008/3/12 1:38:05

Quote:

If I understand this correctly it really highlights the need to have a set of modules, on sourceforge, that have been tested and validated for amongst other things security vulnerabilities such as this.

How is the average user supposed to track all of this? This is important work that Vaughan has put forth and highlights the complexities of a project like this. How do we make it a little bit simpler for people using Impress?



I still think there is a need to have a review process where new modules/versions are examined against a list of the most common vulnerabilities. Modules/versions that 'pass' the evaluation could be marked with a 'security audited' logo or something like that (also, we could publish a page on exactly what this means - ie. what the audit covers). Apart from reducing the number of incidents it will help module authors learn and avoid future problems.

I'd be happy to help out with this later on. Just sitting down to audit security of my first module now Would it be worth trying to put together a list of stuff to check or did someone do that already somewhere?