Internal audit will be completed Monday. On Monday it is my understanding an external audit will begin with an aim to attain certification.
http://blog.soluslabs.com/2013/06/22/audit-update/
http://blog.soluslabs.com/2013/06/22/audit-update/
IndeedIt says:
As you may know we are currently carrying out a code audit for SolusVM. This is just to inform you that the audit is due to be complete on Monday 24th June 2013.
We are working on a find and patch basis (no news is good news) so if anything is found it will be fixed and released before we continue the audit.
Thanks for understanding!
Yeah, if you didn't find it before. What says you will now?Yea, you would think it would be easier to just start with a external audit.
To be completely honest, what we will do is after they are certified, we will completely reinstall our master. I know it sounds crazy but this is called paranoia.How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers?
That was something else that stuck out at me. I've never heard of an auditor issuing "certifications" and I'd consider it suspicious if they did. They look for problems, identify what they spot, and make general recommendations about good practices to follow. Software is too complex for auditing to certify that any sizeable program is guaranteed to be free of problems. That said, if Solus releases the audit report, that could help convince people about the current state of the program. I wouldn't hold it against them if they don't release it though. They may actually not be allowed to (depending on the audit contract).How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers?
Yes, this talk of certifications seems odd to me, too. I have never heard of an auditor certifying code to be bug-free. That just seems like a bad business move on the part of the auditor, too.That was something else that stuck out at me. I've never heard of an auditor issuing "certifications" and I'd consider it suspicious if they did. They look for problems, identify what they spot, and make general recommendations about good practices to follow. Software is too complex for auditing to certify that any sizeable program is guaranteed to be free of problems. That said, if Solus releases the audit report, that could help convince people about the current state of the program. I wouldn't hold it against them if they don't release it though. They may actually not be allowed to (depending on the audit contract).
Personally, I consider this the best move, and would very much recommend other providers to do the same (after backing up the database, obviously). There's been quite a bit of root-level-compromise nastiness going around... fair chance that some of the masters have been messed around with in a more severe manner.To be completely honest, what we will do is after they are certified, we will completely reinstall our master. I know it sounds crazy but this is called paranoia.
Not worth it. You'll need a complete code rewrite.Perhaps someone should offer to buy them out and take it in a new direction at this point.
I think they are praying someone will do it. But honestly would you buy that source?Perhaps someone should offer to buy them out and take it in a new direction at this point.
I think they are praying someone will do it. But honestly would you buy that source?