Secure Coding mailing list archives
Re: Sad state of affairs
From: Rafal Los <rafal () ishackingyou com>
Date: 20 Sep 2013 20:34:49 -0700
Wait a minute, this relationship is a bit confused I think. Prasad said it well- often the result of a maturing software security program is that the simple and easy bugs disappear and the ones that are left are difficult to find and complex in exploitation. This is known as eliminating the "low hanging fruit". While this doesn't eliminate ALL bugs, I ultimately believe that's a fools' errand anyway. Making the software as free of bugs as possible necessarily makes the ones left in the system difficult to find and exploit. Then you work in good anomaly detection mechanisms and have a great case for *reasonably* secure software. Of course, this is all predicated on you knowing and being able to define the word reasonable. Just my opinion. /// Rafal Los ----- Reply message ----- From: "Jeffrey Walton" <noloader () gmail com> To: "Bobby G. Miller" <b.g.miller () gmail com> Cc: "Secure Coding List" <sc-l () securecoding org> Subject: [SC-L] Sad state of affairs Date: Fri, Sep 20, 2013 10:01 PM On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller <b.g.miller () gmail com> wrote:
I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough.
+1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it "catch me if you can" security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. Jeff _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
_______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- Sad state of affairs Bobby G. Miller (Sep 20)
- Re: Sad state of affairs Prasad Shenoy (Sep 20)
- Re: Sad state of affairs Jeffrey Walton (Sep 20)
- Re: [External] Sad state of affairs Goertzel, Karen [USA] (Sep 24)
- <Possible follow-ups>
- Re: Sad state of affairs Rafal Los (Sep 21)
- Re: Sad state of affairs Jeffrey Walton (Sep 21)
- Re: [External] Re: Sad state of affairs Goertzel, Karen [USA] (Sep 24)
- Re: [External] Re: Sad state of affairs Bobby G. Miller (Sep 24)
- Re: Sad state of affairs Jeffrey Walton (Sep 21)