Dailydave mailing list archives
Re: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did
From: Rodney Thayer <rodney () canola-jones com>
Date: Wed, 04 Feb 2004 06:58:14 -0800
At 09:33 AM 2/4/2004 -0500, you wrote:
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.html """ Don't get me wrong. Building secure software is a laudable goal. It boosts productivity and reduces costs. According to one study, it's 6.5 times more expensive to fix a security problem in the implementation phase than in the design phase of a software rollout. By the time you get to the maintenance phase, it's 100 times more expensive. """ This is crap. If you spend your whole life looking for security bugs in your product, then you find them. Continuously. You'll end up finding at least 100 times more than will ever come out in public. So you really save a lot of money by doing everything in the QA phase, where it belongs.
Really. Do Q-A on your product. Make sure you test for security. Oh, and test for protocol validity like you should have been doing all along, that'll catch some significant fraction of the wire-based buffer overflows. Building secure software is a subset of the theoretically obvious goal of building software that works, and you use in-development and post-development testing techniques to do that. This isn't rocket science. The fact the lazy punters in places like Redmond do things like, oh, say, not bothering to test the digital signature tests in their digital certificate code is simple lack of competence in their q-a organizations. But, hey, if Redmond wants Dave to earn money being part of their free-lance streetcorner-based quality control team, who am I to complain? (p.s. I'd be happy to vent at another vendor, Redmond just came to mind first.) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Dave Aitel (Feb 04)
- Re: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Rodney Thayer (Feb 04)
- Re: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Anton A. Chuvakin (Feb 04)
- RE: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Chris Eagle (Feb 04)
- Re: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Blue Boar (Feb 04)
- Re: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Dave Aitel (Feb 04)
- RE: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Chris Eagle (Feb 04)
- Re: Lame studies that people quote as fact that haveno basis in reality and still don't prove anything even if they did Matt Hargett (Feb 04)
- RE: Lame studies that people quote as fact that haveno basis in reality and still don't prove anything even if they did Chris Eagle (Feb 04)
- Re: Lame studies that people quote as fact that haveno basis in reality and still don't prove anything even if they did Gunnar Peterson (Feb 04)
- Re: Lame studies that people quote as fact that haveno basis in reality and still don't prove anything even if they did Sinan Eren (Feb 04)
- Re: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Blue Boar (Feb 04)