On Tuesday 26 December 2006 14:02, coderman wrote: <snip> > the vast majority of software developed does not pursue even trivial > security assurances. > look at the month of kernel bugs to see how common and trivial > validations are ignored in critical kernel interfaces to file systems > and device drivers, thus subverting the integrity of the entire > operating system and applications. Agreed. It's interesting to note that many of these issues could be prevented simply through security-minded coding practices. > it is indeed folly to expect perfection in a human process of software > engineering, but it is nothing less than incompetence and dishonesty > to suggest that the existing state of affairs is somehow unavoidable. Programmers I know usually like to take a sense of accomplishment and ownership in the software they write. But when management enforces unrealistic and draconian project milestones, quality suffers. This is a simple case of "follow the money." > we don't need perfection, but we do need to accept responsibility for > the truly crappy state of IT software and systems in place today. We are accepting responsibility for the vulnerability-riddled IT infrastructure we all depend on daily. The mushrooming demand for IT security professionals is a direct result of businesses and users taking the responsibility. This in itself is very interesting - we have an entire market segment where the buyer/user shoulders an expense (and often a liability) caused from the producer's defective products. How long would a pharmaceutical company exist if it's drugs were known to be poisonous? Would the patient buy and take the antidote so they could continue using the drug, much like we now buy and use all kinds of antivirus, anti-trojan, anti-spyware, etc? Restaurants have expired because of word-of-mouth rumors of poor tasting food. Yet mega-billion dollar software companies flourish and grow, pumping big money into glitzy advertising campaigns, hawking products infested with weakness.
Attachment:
pgpewbmY1xEUU.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/