SolusVM Audit Update

drmike

100% Tier-1 Gogent
It says:

As you may know we are currently carrying out a code audit for SolusVM. This is just to inform you that the audit is due to be complete on Monday 24th June 2013.

We are working on a find and patch basis (no news is good news) so if anything is found it will be fixed and released before we continue the audit.

Thanks for understanding!
 

ShardHost

New Member
Verified Provider
It says:

As you may know we are currently carrying out a code audit for SolusVM. This is just to inform you that the audit is due to be complete on Monday 24th June 2013.

We are working on a find and patch basis (no news is good news) so if anything is found it will be fixed and released before we continue the audit.

Thanks for understanding!
Indeed
 

mikho

Not to be taken seriously, ever!
There is no information if this is an internal or external audit. There is no information that an external audit will start after an internal audit.


One can then suspect that this is an internal audit and no external audit will be made if nothing is found.


If,nothing is found, that can be both good and bad news. It is good that nothing was found, bad in the way that they already do the audit before every release and nothing was found then either.


One can hope that it is a good external company that audits the code. Perhaps it should even be two different companies.
 

drmike

100% Tier-1 Gogent
Yes, the verbage is very wide open.

Someone needs to push SolusLabs about this audit and get some details. @MannDude?

An internal audit would be ummm...... useless.

An external audit could be alright, but would have to be full source analysis and I doubt a rush job like this would end up anywhere near perfect.
 

ShardHost

New Member
Verified Provider
I've already contacted Solus Labs before my first post.  My comments were not speculation.

This is currently an internal audit that will be completed on Monday.  Solus Labs will then start an external audit with an aim to get certification
 

willie

Active Member
Starting with an internal audit is fine since it may pick up some stuff before handing off to the external auditors.  However, there really has to be an external audit at this point.  The company has had persistent problems with security cluelessness and as such, the internal audit by itself doesn't carry much weight.  External audits are useful even if you know what you are doing.  We were security freaks where I used to work, and auditors still told us things that we didn't know.
 

vanarp

Active Member
How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers? 
 

rsk

Active Member
Verified Provider
How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers? 
To be completely honest, what we will do is after they are certified, we will completely reinstall our master. I know it sounds crazy but this is called paranoia.
 

willie

Active Member
How many providers are actually waiting for SolusVM to be certified by external audit before enabling access to your customers? 
That was something else that stuck out at me.  I've never heard of an auditor issuing "certifications" and I'd consider it suspicious if they did.  They look for problems, identify what they spot, and make general recommendations about good practices to follow.  Software is too complex for auditing to certify that any sizeable program is guaranteed to be free of problems.  That said, if Solus releases the audit report, that could help convince people about the current state of the program.  I wouldn't hold it against them if they don't release it though.  They may actually not be allowed to (depending on the audit contract).
 

kaniini

Beware the bunny-rabbit!
Verified Provider
That was something else that stuck out at me.  I've never heard of an auditor issuing "certifications" and I'd consider it suspicious if they did.  They look for problems, identify what they spot, and make general recommendations about good practices to follow.  Software is too complex for auditing to certify that any sizeable program is guaranteed to be free of problems.  That said, if Solus releases the audit report, that could help convince people about the current state of the program.  I wouldn't hold it against them if they don't release it though.  They may actually not be allowed to (depending on the audit contract).
Yes, this talk of certifications seems odd to me, too.  I have never heard of an auditor certifying code to be bug-free.  That just seems like a bad business move on the part of the auditor, too.

Do we know who the auditor is?
 
Last edited by a moderator:

joepie91

New Member
To be completely honest, what we will do is after they are certified, we will completely reinstall our master. I know it sounds crazy but this is called paranoia.
Personally, I consider this the best move, and would very much recommend other providers to do the same (after backing up the database, obviously). There's been quite a bit of root-level-compromise nastiness going around... fair chance that some of the masters have been messed around with in a more severe manner.
 

concerto49

New Member
Verified Provider
There are plenty of exploits, reports and known issues floating around different channels, websites, forums, etc... I don't get how hard it is. Some known ones are still floating around. Personally, if I was Solus, I'd be actively contacting those around here and other places for help. Way easier. Just get users to PM known exploits etc to them. Being active helps fix theri reputation right now.
 

Nick_A

Provider of the year (2014)
Perhaps someone should offer to buy them out and take it in a new direction at this point.
 

drmike

100% Tier-1 Gogent
I think they are praying someone will do it. But honestly would you buy that source?
 

The source can be cleaned up / fixed.  The main functionality/features are well known and they work.  Probably $100-200k cleaning up the code, outsourcing a real audit and paying new employees/contractors.

The company has paying customers and quite a few of them.

Don't talk too loud :)  iNet Interactive would do well to purchase this.   Any major provider/datacenter could benefit and shake up the market by buying SolusLabs.  cPanel could tender an offer.

Quite a few folks that are interested in Solus from acquisition standpoint.
 
Top