Full Disclosure mailing list archives
Re: [WEB SECURITY] Re: comparing information security to other industries
From: Krainium <krainium () gmail com>
Date: Tue, 26 Dec 2006 17:28:10 -0600
On Tuesday 26 December 2006 14:02, coderman wrote: <snip>
the vast majority of software developed does not pursue even trivial security assurances. look at the month of kernel bugs to see how common and trivial validations are ignored in critical kernel interfaces to file systems and device drivers, thus subverting the integrity of the entire operating system and applications.
Agreed. It's interesting to note that many of these issues could be prevented simply through security-minded coding practices.
it is indeed folly to expect perfection in a human process of software engineering, but it is nothing less than incompetence and dishonesty to suggest that the existing state of affairs is somehow unavoidable.
Programmers I know usually like to take a sense of accomplishment and ownership in the software they write. But when management enforces unrealistic and draconian project milestones, quality suffers. This is a simple case of "follow the money."
we don't need perfection, but we do need to accept responsibility for the truly crappy state of IT software and systems in place today.
We are accepting responsibility for the vulnerability-riddled IT infrastructure we all depend on daily. The mushrooming demand for IT security professionals is a direct result of businesses and users taking the responsibility. This in itself is very interesting - we have an entire market segment where the buyer/user shoulders an expense (and often a liability) caused from the producer's defective products. How long would a pharmaceutical company exist if it's drugs were known to be poisonous? Would the patient buy and take the antidote so they could continue using the drug, much like we now buy and use all kinds of antivirus, anti-trojan, anti-spyware, etc? Restaurants have expired because of word-of-mouth rumors of poor tasting food. Yet mega-billion dollar software companies flourish and grow, pumping big money into glitzy advertising campaigns, hawking products infested with weakness.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- comparing information security to other industries KT (Dec 19)
- Re: comparing information security to other industries Valdis . Kletnieks (Dec 19)
- Re: comparing information security to other industries coderman (Dec 19)
- Re: [WEB SECURITY] Re: comparing information security to other industries Andre Gironda (Dec 25)
- Re: [WEB SECURITY] Re: comparing information security to other industries coderman (Dec 26)
- Re: [WEB SECURITY] Re: comparing information security to other industries Krainium (Dec 26)
- Re: [WEB SECURITY] Re: comparing information security to other industries Michael Zimmermann (Dec 27)
- Re: [WEB SECURITY] Re: comparing information security to other industries coderman (Dec 27)
- Re: comparing information security to other industries coderman (Dec 19)
- Re: comparing information security to other industries Valdis . Kletnieks (Dec 19)
- Re: [WEB SECURITY] Re: comparing information security to other industries Dinis Cruz (Dec 22)
- Re: [WEB SECURITY] comparing information security to other industries Nick FitzGerald (Dec 21)
- Re: comparing information security to other industries Brian Eaton (Dec 24)
- Re: comparing information security to other industries Michael Zimmermann (Dec 24)