Re: Submission

[Scott Blake <blake () HOMEPORT ORG>]

> people's motivations, I feel it is time once again to point
> out that none of
> this would be relevant if application developers would do
> their own security
> reviews prior to releasing their software, rather than

While security reviews certainly help (immensely in some cases), they
are far from foolproof.  My company conducts regular reviews of our our
software and we miss things.  Sometimes, other people find them before
we do.  I believe it is inherent in commercial software production, at
least.  I suspect some OpenBSD people might even agree that security
reviews and security concious developers help but are no guarantee that
nothing will go wrong.  Indeed, only government reviews seem to make any
claims about assured security in systems.

As we have all seen, the economics here are very straightforward.  Until
consumers demand secure products (with their dollars, not their voices)
we will have insecure software.  In the meantime, I think there is a
balance to be struck between giving vendors time to fix their problems
and the public's need to know.  When vendors take too long, pressure can
be brought short of dramatically widening the dangers to their users.
My own rule of thumb is to give vendors time as long as they appear to
be laboring in good faith.  I'm open to the argument that that's naive,
but you'd be hard-pressed to show that it makes the public -less- secure
than immediate public disclosure.

Face it folks, the vendors aren't to blame, the market economy is.

-----
Scott Blake
blake () razor bindview com
Security Program Manager
BindView Corporation