independent security audit

[Mesmer]

Anyways when is it coming out and how long does a "security audit" take?

:blink: I'm now imagening you are asking for an apple pie recipe

[elj]

Thanks for the clarification Matt.

[Brandon C]

Thank you for the clarification, Matt. Now I understand the process better.

[Will L.]

thanks Matt and excellent work Tommeh! ^_^

[The Gamers Force]

Exactly that. :)

There is an option to force guests to complete a "captcha" test before allowing the post to go through.

However, in your case, it sounds like it's a 'human' spammer who is being paid to register and post on different boards.

Here's a little tip - if you want to further randomize your captchas, just drop some more background images into the "style_captcha/captcha_backgrounds" folder and they'll be used in random rotation.

Can you also drop in new fonts for the captcha for use without having to do file edits?

[RC-Extreme]

Guys and gals - Just 2 cents worth here and it's probably me being a bit arrogant here, but let me put something into the limelight...

When a young hacker is looking to make a name for his "tag" what's he/she gonna do? They're gonna go after the one piece of software that puts it on a pedestal!

By IP doing the good thing and getting their soft tested, they're gonna at the same time, put themselves in the firing line for all the wanna-be's with half a brain cell. By having the IPB software audited, it's not gonna change much... You avoid being hacked by ensuring you're always up-to date with patches and that you're always on the ball with logs and server updates...

No matter how many companies test the software and no matter who tests it; there is always going to be a times 10 multiple of that number trying to gain control and exploit it... My personal feelings are simply that, yes - Make their lives hard, but this is nowhere near an excuse for poor administration.

[Amy T]

Every time I was hacked is when I was in bed so poor administration has nothing to do with it.
The time I was hacked though the army system the update came out the same day I got hacked and did not have time to install it.
The day I got hacked though dean's shout box a fix for it did not come out until 3 months later.

[Dark Phantom]

multiple security firms wouldn't be reachable, this would mean another price increase for ipb. it's more than high enough as they are now with the new announced ones.

don't understand me wrong I'm glad IPS is having security audits, having one by multiple firms seems over the top.

My thought on multiple firms, would be for example, a future release of IPB 2.2.0 perhaps after the final. My thought is instead of using the same security firm again, hire another firm in the industry to check the code for the next release. This way you won't run into the problem where, the same person looks at the code, and just skips it because he has looked at it once before. Lets put it this way, that one time you skip over working code, you might skip over that one security issue thats huge, not saying one exists but programming is an art.

With the recent price chance, and how support will work once IPB 2.2.x is final, as a customer the I expect security to be a higher priority then it was.


** Just another peg on the ladder is all I ask, and a security audit is that peg, but in my eyes it has to be done when huge changes happen. **

[Guest]

if you mean it that way I fully agree with you :)

[Arts&Faith]

Well, there are audits and there are audits.

For example, a SAS70 audit is pretty meaningless in this case.

Are we talking detailed code review? Automated scanning? Invasive penetration testing? Trusted penetration testing?

[If Invision would like the name of a few boutique firms my employer (a large financial-services company) uses for security audits, please send me a note.]