Re: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did

[Rodney Thayer <rodney () canola-jones com>]

At 09:33 AM 2/4/2004 -0500, you wrote:
> http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html
>
> """
> Don't get me wrong. Building secure software is a laudable goal. It boosts productivity and reduces costs. According 
> to one study, it's 6.5 times more expensive to fix a security problem in the implementation phase than in the design 
> phase of a software rollout. By the time you get to the maintenance phase, it's 100 times more expensive.
> """
>
> This is crap. If you spend your whole life looking for security bugs in your product, then you find them. 
> Continuously. You'll end up finding at least 100 times more than will ever come out in public. So you really save a 
> lot of money by doing everything in the QA phase, where it belongs.

Really.  Do Q-A on your product.  Make sure you test for security.  Oh, and
test for protocol validity like you should have been doing all along,
that'll catch some significant fraction of the wire-based buffer overflows.

Building secure software is a subset of the theoretically obvious goal of
building software that works, and you use in-development and post-development
testing techniques to do that.  This isn't rocket science.  The fact the lazy 
punters in places like Redmond do things like, oh, say, not bothering to test
the digital signature tests in their digital certificate code is simple
lack of competence in their q-a organizations.

But, hey, if Redmond wants Dave to earn money being part of their free-lance
streetcorner-based quality control team, who am I to complain?
(p.s. I'd be happy to vent at another vendor, Redmond just came to mind first.)

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave