Secure Coding mailing list archives
Interesting tidbit in iDefense Security Advisory 06.26.07
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 26 Jun 2007 20:09:46 -0400 (EDT)
On 6/26/07 4:25 PM, "Wall, Kevin" <Kevin.Wall at qwest.com> wrote: I mean, was the fix really rocket science that it had to take THAT LONG??? IMHO, no excuse for taking that long.
Some major vendor organizations, most notably Oracle and Microsoft, have frequently stated that they can't always fix even simple vulnerabilities instantly, because they have batteries of tests and platforms to verify that the fix won't damage anything else. I can see why this would be the case, although I rarely hear vendors talk about what they're doing to make their response time faster. Open source vendors likely have similar challenges, though maybe not on such a large scale. I'd be interested to hear from the SDLC/CMM consultant types who work with vendors on process, about *why* this is the case. And in terms of future challenges: how can the lifecycle process be changed so that developers can quickly and correctly fix show-stopping issues (including/especially vulnerabilities)? It would seem to me that one way that vendors can compete, but don't, is in how quickly and smoothly they fix issues in existing functionality, which might be a large part of the operational expenses for an IT consumer. - Steve
Current thread:
- Interesting tidbit in iDefense Security Advisory 06.26.07 Kenneth Van Wyk (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Wall, Kevin (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 26)
- The Next Frontier Paco Hope (Jun 27)
- The Next Frontier ljknews (Jun 27)
- The Next Frontier Steven M. Christey (Jun 27)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Leichter, Jerry (Jun 27)
- Comparing Software Vendors McGovern, James F (HTSC, IT) (Jun 28)
- <Possible follow-ups>
- Interesting tidbit in iDefense Security Advisory 06.26.07 David A. Wheeler (Jun 28)