Secure Coding mailing list archives
Re: Re: Application Insecurity --- Who is at Fault?
From: Crispin Cowan <crispin () immunix com>
Date: Mon, 11 Apr 2005 12:32:21 +0100
I strongly disagree with this. Rigorous professional standards for mechanical and structural engineering came about only *after* a well-defined "cookbook" of how to properly engineer things was agreed upon. Only after such standards are established and *proven effective* is there any utility in enforcing the standards upon the practitioners. Software is *not* yet at that stage. There is no well-established cook book for reliably producing reliable software (both of those "reliably"s mean something :) There are *kludges* like the SEI model, but they are not reliable. People can faithfully follow the SEI model and still produce crap. Other people can wholesale violate the SEI model and produce highly reliable software. It is *grossly* premature to start imposing standards on software engineers. We have not a clue what those standards should be. Crispin Edward Rohwer wrote:
I my humble opinion, the bridge example gets to the heart of the matter. In the bridge example the bridge would have been design and engineered by licensed professionals, while we in the software business sometime call ourselves "engineers" but fall far short of the real, professional, licensed engineers other professions depend upon. Until
we as
a profession are willing to put up with that sort of rigorous examination and certification process, we will always fall short in many area's and of many expectations. Ed. Rohwer CISSP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 08, 2005 10:54 PM To: Margus Freudenthal Cc: Secure Coding Mailing List Subject: [SC-L] Re: Application Insecurity --- Who is at Fault?
Margus Freudenthal wrote:
Consider the bridge example brought up earlier. If your bridge builder finished the job but said: "ohh, the bridge isn't secure though. If someone tries to push it at a certain angle, it will fall".
Ultimately it is a matter of economics. Sometimes releasing something
earlier
is worth more than the cost of later patches. And managers/customers are
aware
of it.
Unlike in the world of commercial software, I'm pretty sure you don't see a whole lot of construction contracts which absolve the architect of liability for design flaws. I think that is at the root of our problems. We know how to write secure software; there's simply precious little economic incentive to do so. -- David Talkington [EMAIL PROTECTED] -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Current thread:
- Application Insecurity --- Who is at Fault? Kenneth R. van Wyk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Blue Boar (Apr 07)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 07)
- Re: Application Insecurity --- Who is at Fault? Margus Freudenthal (Apr 07)
- Re: Application Insecurity --- Who is at Fault? dtalk-ml (Apr 10)
- Re: Application Insecurity --- Who is at Fault? ljknews (Apr 10)
- RE: Re: Application Insecurity --- Who is at Fault? Edward Rohwer (Apr 10)
- Re: Re: Application Insecurity --- Who is at Fault? Crispin Cowan (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Kenneth R. van Wyk (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
- RE: Re: Application Insecurity --- Who is at Fault? Chris Matthews (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 12)
- Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
- Adding some unexpected reliability expectations ljknews (Apr 13)
- Re: Adding some unexpected reliability expectations Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 13)
- Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)