Re: On product vulnerability history and vulnerability complexity

[Gadi Evron <ge () linuxbox org>]

Forrest J. Cavalier III wrote:
> Just a half-baked idea.  Does selling software quality assurance make 
> sense?

If you will allow me to answer only that part of your email, I honestly 
don't know - but:

Standardization and regulation is where we are all heading in many 
different directions whether we like it or not. Today people believe 
such testing can not reliably be done. I disagree.

Point is, that whether I am right or wrong we may see a demand by 
companies to do just that so that they can meet said standardization or 
regulation.

So, I am not sure if selling it makes sense, but where there is a demand 
there is a market and I believe today people look for the HOW. Code 
analysis and auditing are important steps, as well as secure coding and 
QA security. That said that process has proven itself to, in the macro 
level, be a complete failure.

I tend to agree with Dave Aitel that Fuzzers may be part of the solution 
to that. I would add that they are, once they reach a level of maturity 
and efficiency that merits such treatment.
Such certification is coming and such technology exists / can be found 
in a few places.
That said (full disclosure), on these last two sentences you should take 
what I say with a grain of salt as I currently work for a fuzzing vendor.

        Gadi.