Security testing: need for a security policy, and a security-critical package process

[Hal Murray]

gene at czarc.net said:
...
> A written description of the security policy is a must!
...

Is the idea of a single one-size-fits-all security policy reasonable?  I 
think Fedora has a broad range of users.

Security is a tradeoff.  If you make it impossible for the bad guys to get 
in, the good guys probably can't get any work done.  How secure do you need 
to be?  How much are you willing to pay for it?

I'd much rather have an overview document that explains the likely attacks 
and potential solutions, and their costs and benefits.  Additionally, I think 
it's much easier to follow a policy if I understand the reasonaing behind it.

I think sample policy documents with descriptions of their target audience 
and checklists for how to implement them would be helpful.



-- 
These are my opinions, not necessarily my employer's.  I hate spam.