Mel Beckman wrote:
The question of code quality is always a difficult one, since in FOSS
it’s public and often found lacking, but in private source you may
never know. In these cases I rely on the vendor’s public statements
about their development processes and certifications (e.g., ICSA).
Commercial products often disclose their development processes and
even run in-house security threat research groups that publish to the
community.
There are also outside certifications. For example, www.icsalabs.com
<http://www.icsalabs.com> lists certifications by vendor for those
that have passed their test regimen, and both Dell SonicWall and
Fortinet Fortigate are shown to be current. PFSense isn’t listed, and
although it is theoretically vetted by many users, there is no
guarantee of recency or thoroughness of the test regimen.
This brings up the question of whether PFSense can meet regulatory
requirements such as PCI, HIPAA, GLBA and SOX. While these regulatory
organizations don’t require specific overall firewall certifications,
they do require various specific standards, such as encryption
strength, logging, VPN timeouts, etc. I don’t know if PFsense meets
these requirements, as they don’t say so on their site. Companies like
Dell publish white papers on their compliance with each regulatory
organization.
It seems those certifications are not offering the assurance at least
*some* people would expect from them, unless
of course we're talking about feeding the paper pushing beast. This is a
mere observation on my part, principally
I'm not against them, but I seriously doubt bad coding practices happen
only on non certified/audited code, so
I find the question of value difficult to answer in a satisfactory manner.
Random germane example:
http://opensslrampage.org/post/83555615721/the-future-or-lack-thereof-of-libressls-fips
Aris
