Today, I attend study committee run by Information technology Promotion Agency. The objective of the committee is to propose the way to establish good method to evaluate security quality by reading source code.

We discuss how let good code reader work for security quality evaluation, what should be minimum requirements on criteria of security quality evaluation, what environments would be required for establish good method to evaluate security quality by reading source code and so on.

Several topics in this discussion are:

• Expensive software products are not so much used, so that potential bugs may not be appeared.
• what should we do to let expert read the code for auditing security.
• case study? e.g. similar bugs to issues in security advisory.
• `refactoring'. in software science, it is called as `programming transformation'. technique would be the same but the purpose is different?
• programmers may be fundamentally good, so that they would try to write better code?
• some programmers write code without enough understanding of specifications
• automatic test-case generator is wanted.
• it would be nice if various (minor) architecture platforms are available to try/debug the programs.
• some software analysis tools are introduced.
  • purify http://www.sra.co.jp/Rational/purify/
  • Coverity http://www.coverity.com/
  • splint http://www.splint.org/
• what source code should be targeted to audit the source code? stable version of distribution, or unstable? most developers will review current code, but won't review old one? current code will be changed rapidly?
• who should we invite this code reading activity? how motivate?
• when/how can we disclose the knowledge from this code reading? This kind of knowledge would be useful for crackers.

What is the good plan for FLOSS developers community?