Re: Open Source failure analysis tool released for Linux

["Kenneth R. van Wyk" <Ken () KRvW com>]

ljknews wrote:


At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote:
I believe that we don't do enough to analyze and learn from software failures.  


I believe the industry as a whole does plenty to analyze software
failures, particularly considering how little is done to avoid
those errors.  Added analysis in the face of near-zero remediation
would be useless.

How many times do we see "buffer overflow" as the cause, yet even on
this mailing list people still defend the use of languages that not
only permit but actually promote such errors.


Well, I did say "...analyze AND learn...".  :-)

Seriously, though, there's plenty of data on the symptoms of failures -- 
advisories, securitytracker.com, etc., but not enough on the causes in 
my opinion.


And, to exacerbate the problems, in every software security tutorial 
that I do, I ask the students how many of them read information from 
places like bugtraq, full-disclosure, phrack, and such.  Among the 
software developers, _maybe_ 5% of them say that they do.  Admittedly, 
the percentage is better among the IT Security folks that I talk to, but 
they're not generally the ones that are writing the software.  Of 
course, that's not a scientific survey or anything, but I sure get the 
feeling that very few software dev folks spend any/much time analyzing 
failures.


Cheers,

Ken