Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

[Adam Shostack <adam () homeport org>]

On Tue, Aug 07, 2001 at 09:17:08PM +1000, Darren Reed wrote:
| How about making it a felony to sell or otherwise provide software for
| commercial use that contains buffer overflows ?  Or make it something you
| cannot "disclaim" - it should be part of the exercising of due diligence
| every software company has to get them out of software before releasing it.
| 
| I'm actually half serious about this.
| 
| It's time to start raising the bar.
| 
| How much does it cost the world to patch these problems up vs the developer
| to put in place proper testing to find and eliminate these problems before
| it goes out the door?  How can we allow such a critical piece of modern life
| to be such a pile of rubbish?  The frightening thing is if you look from the
| embedded market all the way up to super computers, there are no exceptions
| in the "has a buffer overflow security hole" category.

I think that, with the advent of automated code scanning tools, (RATS, 
ITS4) and compiler modifications (stackguard, formatguard), it becomes 
easier to argue that due care in creating software involves adding
these tools to your build process, and not releasing code that doesn't 
scan clean.

Before there were standard tools for this purpose, it was harder to
make the argument--what was ok code or not was a matter of debate and
personal opinion or style.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards