On Tue, 17 Jan 2012 14:09:13 +0100, Martijn Broos said: > If programmers are aware of security consequences, they would fix them in the > first place or try to avoid them. Unfortunately, there's this problem called "already announced ship date". Go take a look at Skyrim - they announced 11/11/11 ship date like *months* beforehand. And yes, it shipped that day - with lots of glitches. The fact that lots of the glitches were fixed in patches released whithin days after release indicates that the programming staff knew full well what caused the glitch and what to do to fix it - they just didn't have time to actually *do* it before their freeze date to get stuff onto the DVD. And security bugs are identical to other bugs as far as making a deadline goes - at soome point somebody has to say "delay it" or "ship it anyhow". Usually, neither choice is a really good option... > So I vote for the use of kiddies (only in a controlled test environment). > This could even be a public test site where this list could try to break the > stuff as long as you tell me how you did it:) This sort of public test is almost never a good idea. One of two things happens: 1) The kiddies who do it for a lark break it. Yes, now you know you have holes. But the rest of the world now knows you couldn't even find the easy stuff. So you're gonna be dead meat for the vultures once you fix the easy stuff. 2) The kiddies who do it for a lark don't break it. Doesn't prove squat, because they almost certainly didn't check the entire attack surface, or try very hard to break it. A good professional pen test company could still break it - as could a really good black hat. But neither of them are going to participate in your public test unless you offer a lot bigger prize (equivalent to what they'd make for a several-week actual engagement).
Attachment:
pgpjwMigGyyMf.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/