bumper sticker slogan for secure software

[michaelslists at gmail.com (mikeiscool)]

On 7/20/06, Andrew van der Stock <vanderaj at greebo.net> wrote:
> Actually, it is a myth.
>
> For every non-trivial system, there are business pressures on
> resourcing, deadlines, and acceptable quality (pick any two). Once a
> business has set their taste for risk, it makes no sense to spend say
> $10m on security controls on a product and delay it for six months
> which may only bring in $2m in revenue in total, or none at all if
> the company runs out of money to bring it to market.
>
> At the moment, most companies neither accept or assign the risk,
> enumerate the risk correctly, nor take adequate steps to eliminate as
> much risk as possible. We need to improve all three aspects. Even in
> a perfect world, there will still be bugs and security defects. Let's
> make sure that the remaining ones are really hard to exploit, and
> when the exploit happens, not much loss occurs.

yeah.

but none of this changes the fact that it IS possible to write
completely secure code.


> thanks,
> Andrew

-- mic