It seemed like a good idea at the time. Set up a website that allows users and developers alike to check which pieces of Linux code have been checked for security holes. The project, dubbed Sardonix, was a classic open source solution to a clear problem. The scheme's originator Crispin Cowan, chief research scientist at WireX Communications, said: "Auditing is needed not just because some developers refuse to read, or follow such standards, but also because humans make mistakes and may fail to completely, or correctly, follow all rules perfectly." Yet few became involved because, according to Cowan, there's no glory in auditing security holes. Funded initially by the US defence establishment body Defense Advanced Research Projects Agency (DARPA), the research grant aiming to centralise what was, and remains, a fairly loosely structured review process dried up nine months ago. The plan was that volunteer code auditors would be ranked according to the volume of code they examined and the number of security holes discovered. Points would be lost if holes were subsequently discovered in code passed as clean. But, said Cowan, "I got a great deal of participation from people who had opinions on how the rankings should work, and then squat from anybody actually reviewing code." Cowan added: "The Bugtraq model is: find a bug, win a prize - a modest amount of fame," says Cowen. "Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code. It seems the Sardonix lesson is people don't want to play this game, they want to play the Bugtraq game." Some have commented that few people can both code and have sufficient expertise to spot buried security bugs for no reward, while others moot a lack of visibility and marketing as the reason for the site's demise. Only 22 pieces of code are listed on the site as having been audited, 14 as unaudited.
Find your next job with techworld jobs