[Owasp-leaders] Measuring GitHub.com security

Dennis Groves dennis.groves at owasp.org
Thu Jan 26 16:32:04 UTC 2012


Guilty! You see what I have done there. :-D  
However, I think the intent of the message is very much the same.

If there is a security threat to an enormously massively distributed redundant system that doesn't require confidentiality, that has 'circle of trust' built into it; and further has unparalled integrity - I am having trouble identifying what it is - and what more one would do to mitigate it.

That said, I can see threats to github as a company - and thus it is similar to say DNS where one country seems to control the single point of failure as it were… that is a problem; but then the question becomes what are the alternatives and if none exists are we sufficiently motivated to fill that market demand?

Dennis

--
Dennis Groves (http://about.me/dennis.groves), MSc
dennis.groves at gmail.com (mailto:dennis.groves at gmail.com)



On Thursday, 26 January 2012 at 16:25, Mat Caughron wrote:

> Clearly this was paraphrased, the original was ftp, I think:
> http://en.wikiquote.org/wiki/Linus_Torvalds
>  
> Yup. Good thing we've come a long way from open, unencrypted password
> exchanges though...
>  
>  
>  
> Mat
>  
>  
>  
> On Thu, Jan 26, 2012 at 9:28 AM, dinis cruz <dinis.cruz at owasp.org (mailto:dinis.cruz at owasp.org)> wrote:
> > Wasn't Git only invented in 2005? :)
> >  
> > Dinis Cruz
> >  
> > On 26 Jan 2012, at 15:19, Dennis Groves <dennis.groves at gmail.com (mailto:dennis.groves at gmail.com)> wrote:
> >  
> > > "Only wimps use backup: real men just upload their important stuff on git, and let the rest of the world fork it ;)" – Torvalds, Linus (1996-07-20).
> > >  
> > >  
> > >  
> > > --
> > > Dennis Groves (http://about.me/dennis.groves), MSc
> > > dennis.groves at gmail.com (mailto:dennis.groves at gmail.com)
> > >  
> > >  
> > >  
> > > On Thursday, 26 January 2012 at 14:51, dinis cruz wrote:
> > >  
> > > > GitHub has a pretty good security page with lots of good practices in there.
> > > >  
> > > > But my question is 'how do we measure it'?
> > > >  
> > > > Ideally I would like to have a score card that showed how good (or
> > > > bad) their security profile is (this scorecard would allow me to
> > > > compare it with another services or even with internal security
> > > > practices)
> > > >  
> > > > I'm also keen to know about the Github.com (http://Github.com) web app security (for
> > > > example vs the OWASP Top 10)
> > > >  
> > > > Dinis Cruz
> > > > _______________________________________________
> > > > OWASP-Leaders mailing list
> > > > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > > > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> > >  
> >  
> >  
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org (mailto:OWASP-Leaders at lists.owasp.org)
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>  





More information about the OWASP-Leaders mailing list