Dailydave mailing list archives
Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow.
From: byte_jump <bytejump () gmail com>
Date: Thu, 9 Jun 2005 16:01:49 -0600
On 6/9/05, john blumenthal <jblumen () xmission com> wrote:
johnb: As long as license agreements continue to transfer all risk to the licensee I believe we do not have a research model that works. I am researching not what motivates security researchers in reality; I am looking at what suspends basic economic principles in producer-consumer relationships when it comes to software.
I'm with John on this one in that currently all risk of vendor A's bad coding and poor QA is transferred to a customer of vendor A. Good grief, there are even customers that are paying for application source code reviews of vendor programs in order to get some degree of assurance that a vendor's code is relatively secure (I say "relatively" because the pronouncement of "safe" code is all based upon the source code reviewer's skills at finding insecure code). Not every company can afford the expertise required to peform a quality source code review of a vendor's program, and vendors are not doing this themselves (or at least aren't releasing the findings to the general public or even to their customers, as far as I know). None of this will be done, will be done with cheap code reviewers, or will never reach vendor A's other customers unless we change the economic model. As it stands now vendors are not liable for their poor coding and poor (or lack of) QA. They pass those risks onto their customers which, to me, is unacceptable. Fighting vendor EULA's is a losing battle, IMO, and vendor liability is not a road I think we should venture down. Software will always have vulnerabilities, so shielding one's self from liability (through insurance) would be prohibitively expensive - and could potentially adversely affect open source projects. While I'm not sure all of the kinks have or can be worked out, I believe an auction model similar to 0bay achieves the following benefits: - Rewards researchers for their work. - Lets the market decide how much researchers should be rewarded. - Allows vendors to purchase vulnerabilities. - Allows the potential for non-profit groups such as CERT to purchase vulnerabilities and make the details public. - Allows customers to measure the relative security strength of a vendor's products against their peers. There are probably more benefits but these are the most obvious to me. Good discussion. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow., (continued)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Chris Wysopal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. dan (Jun 10)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Matt Hargett (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Thomas H. Ptacek (Jun 09)
- RE: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. john blumenthal (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist,and a buffer overflow. Blue Boar (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. byte_jump (Jun 09)
- Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow. Matt Hargett (Jun 09)