Security testing: need for a security policy, and a security-critical package process
Adam Williamson
awilliam at redhat.com
Tue Nov 24 02:05:58 UTC 2009
On Mon, 2009-11-23 at 18:16 -0600, Chris Adams wrote:
> Once upon a time, Adam Williamson <awilliam at redhat.com> said:
> > It's not QA's role to define exactly what the security policy should
> > look like or what it should cover, but from the point of view of
> > testing, what we really need are concrete requirements. The policy does
> > not have to be immediately comprehensive - try and cover every possible
> > security-related issue - to be valuable. Something as simple as spot's
> > proposed list of things an unprivileged user must not be able to do -
> > http://spot.livejournal.com/312216.html - would serve a valuable purpose
> > here.
>
> IMHO that's a backwards way of approaching security. You will never be
> able to define everything somebody should _not_ be able to do. You
> should always take the approach of defining what somebody _should_ be
> able to do.
But think from a QA perspective. However the policy is phrased, we have
to test the negatives. If we just tested that all the 'could' things on
the list were OK, we would happily approve a release that gave everyone
root privileges. After all, everyone would be able to do all the things
they were supposed to do. it'd be a 100% pass. =)
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the fedora-devel-list
mailing list