Full Disclosure mailing list archives
Fwd: Re[2]: [Dailydave] Security people are leaches. [sic]
From: Thierry Zoller <Thierry () Zoller lu>
Date: Tue, 11 Aug 2009 17:14:51 +0200
As Dave seems to have his ongoing NZ filtering going on again on the DailyDave list, I post it here.. Anybody wants create a list mirroring DD but letting replies through even if those are against your views? ===8<=================== Original Nachrichtentext =================== Hi Aaron,
The 'shades of grey' only exist to security people.
Define "security poeple" ? A complete branch of corporate risk management is formed of "security poeple". So does this make it "less of a problem" ?
To no one else is it important that a bug disclose information, allow invalid root access, or escalate privileges.
You obviously have not worked with or within a company that has to balance all sorts of risks. If a kernel bug is slipped upstream because it was not properly marked as a security issue, it means potential loss. So since when is loosing money "only important" to "security poeple". Security = Risk of loss, and Sir this is important for everybody in the company. I am astounded how narrow minded some developers have become. Some apparently never see the complete picture of how a business operates how potential risks/losses are mitigated and how this impacts the developers. SDL training seems to need an intruduction on the fundementals of security, operational and others. A birds-eye view, maybe if the interconnections are understood some will understand why it is important. It's not a technical issue - at all. PS. Dave - I am not writing comments for you to sent to dev/null, I consider my time more usefull. -- http://blog.zoller.lu Thierry Zoller ===8<============== Ende des Original Nachrichtentextes =============
--- Begin Message --- From: Thierry Zoller <Thierry () Zoller lu>
Date: Fri, 21 Aug 2009 12:20:49 +0200
Hi Aaron,The 'shades of grey' only exist to security people.Define "security poeple" ? A complete branch of corporate risk management is formed of "security poeple". So does this make it "less of a problem" ?To no one else is it important that a bug disclose information, allow invalid root access, or escalate privileges.You obviously have not worked with or within a company that has to balance all sorts of risks. If a kernel bug is slipped upstream because it was not properly marked as a security issue, it means potential loss. So since when is loosing money "only important" to "security poeple". Security = Risk of loss, and Sir this is important for everybody in the company. I am astounded how narrow minded some developers have become. Some apparently never see the complete picture of how a business operates how potential risks/losses are mitigated and how this impacts the developers. SDL training seems to need an intruduction on the fundementals of security, operational and others. A birds-eye view, maybe if the interconnections are understood some will understand why it is important. It's not a technical issue - at all. PS. Dave - I am not writing comments for you to sent to dev/null, I consider my time more usefull. -- http://blog.zoller.lu Thierry Zoller
--- End Message ---
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fwd: Re[2]: [Dailydave] Security people are leaches. [sic] Thierry Zoller (Aug 11)