Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Joseph Steinberg, sie wrote:
> I agree wholeheartedly that we do need to come up with a better way of
> addressing these issues than patching every specific vulnerability. Our
> e-Gap systems do this with positive logic -- i.e., enforcing that
> web-servers/applications only receive requests in formats that the
> web-servers/apps expect. So, worm attacks, hacker attacks, etc. (which are
> generally based on unexpected submissions) fail -- regardless of whether the
> particular hack is known to our product or not. I am curious how others deal
> with this.
[...]

How about making it a felony to sell or otherwise provide software for
commercial use that contains buffer overflows ?  Or make it something you
cannot "disclaim" - it should be part of the exercising of due diligence
every software company has to get them out of software before releasing it.

I'm actually half serious about this.

It's time to start raising the bar.

How much does it cost the world to patch these problems up vs the developer
to put in place proper testing to find and eliminate these problems before
it goes out the door?  How can we allow such a critical piece of modern life
to be such a pile of rubbish?  The frightening thing is if you look from the
embedded market all the way up to super computers, there are no exceptions
in the "has a buffer overflow security hole" category.

Darren

p.s. this is all rant.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards