Re: How many vendors knowingly ship GA product with security vulnerabilities?

[Valdis.Kletnieks () vt edu]

On Thu, 04 May 2006 18:15:18 PDT, Bill Stout said:
> That's an excellent and well thought out reply.  Sounds like you have
> some experience in delivering software.

Not commercial software.  However, commercial software ship dates are
infinitely flexible compared to "30,000 students are showing up Tuesday
and the class registration and housing checking systems *have* to be ready" ;)

> It would seem that if a few days buffer were built into the system,
> specifically to check in security fixes prior to QA; that would be a
> huge 'CYA' benefit to prevent those 'CLM' moves and to protect the
> consumers of the software.

Trust me - the original plan usually *starts* with *more* than "a few days
buffer".

Recommended reading: "The Mythical Man Month" by Fred Brooks - what he learned
as the project manager for IBM's OS/360 operating system development, which
still ranks as one of the biggest software development projects in history.
One of the famous quotes from it: "Adding programmers to late software projects
makes them later"....

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/