Bugtraq mailing list archives
Re: Submission
From: Scott Blake <blake () HOMEPORT ORG>
Date: Tue, 28 Nov 2000 18:00:59 -0600
people's motivations, I feel it is time once again to point out that none of this would be relevant if application developers would do their own security reviews prior to releasing their software, rather than
While security reviews certainly help (immensely in some cases), they are far from foolproof. My company conducts regular reviews of our our software and we miss things. Sometimes, other people find them before we do. I believe it is inherent in commercial software production, at least. I suspect some OpenBSD people might even agree that security reviews and security concious developers help but are no guarantee that nothing will go wrong. Indeed, only government reviews seem to make any claims about assured security in systems. As we have all seen, the economics here are very straightforward. Until consumers demand secure products (with their dollars, not their voices) we will have insecure software. In the meantime, I think there is a balance to be struck between giving vendors time to fix their problems and the public's need to know. When vendors take too long, pressure can be brought short of dramatically widening the dangers to their users. My own rule of thumb is to give vendors time as long as they appear to be laboring in good faith. I'm open to the argument that that's naive, but you'd be hard-pressed to show that it makes the public -less- secure than immediate public disclosure. Face it folks, the vendors aren't to blame, the market economy is. ----- Scott Blake blake () razor bindview com Security Program Manager BindView Corporation
Current thread:
- Submission hellnbak (Nov 28)
- Re: Submission Ryan Russell (Nov 29)
- Re: Submission Georgi Guninski (Nov 29)
- Re: Submission Geo. (Nov 29)
- Re: Submission Gunther Birznieks (Nov 30)
- <Possible follow-ups>
- Re: Submission hellnbak (Nov 29)
- Re: Submission Georgi Guninski (Nov 30)
- Re: Submission Robert G. Ferrell (Nov 29)
- Re: Submission Scott Blake (Nov 30)
- Re: Submission aarhus (Nov 29)
- Re: Submission Rune Kristian Viken (Nov 30)
- Re: Submission Geoffrey Moon (Nov 30)
- Re: submission rain forest puppy (Nov 30)
- Re: Submission Elias Levy (Nov 30)