RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

["Scott, Richard" <Richard.Scott () BestBuy com>]

<snip>

Darren Reed wrote:
> How much does it cost the world to patch these problems up vs the developer
> to put in place proper testing to find and eliminate these problems before
> it goes out the door?  How can we allow such a critical piece of modern
life
> to be such a pile of rubbish?  


<snip>
Seatbelts were not mandatory until the 1960's. Shoulder straps
didn't come in until the 1970's, and airbags in the 1980s/90s. In the
late 1970's Lee Iaccoca, the CEO of General Motors, said that they
would never put airbags in their cars because customers wouldn't
pay for them. So, for the first 20-30 _years_ of the history of personal
automobiles, it must have been _accepted_ and even taken for
granted that when you ditched your car at speeds approaching 50MPH
you _were_ going to eat that big bakelite steering wheel and you _were_
going to need reconstructive surgery. Bummer that reconstructive
surgery hadn't been invented, yet...  For some reason this was
considered "acceptable."

        Actually, it wasn't just acceptable it was legal.  Hence we can buy
cars that top out at 200mph, but there are laws to deal with people who do.

<snip>

Well, I would just like to pose that the missing item that made what Marcus
mention relevant is the government legislation that forced "safety".  This
enabled the car industry to a legal contract or specification that they had
to meet.

Just like doctors or lawyers are obliged by certain legislation, I think so
must computer scientists, developers of industrial software and hardware.
Take for example the simple buffer overflow, very simple,  but as deadly
when exploit.  If legislation was passed they said to some effect.....

"Any piece of code, that is used for industrial purposes, that takes as
input some value, that is unbound, it must limit the input or make safe
calculation of addition storage medium to safely handle the data"

Now, the software and hardware industry would have as a rule something to
measure up against, it's very clear and must be implemented.  Businesses
wouldn't be able to rush things through to market, without risking a
monetary loss from prosecution.  Thus, test plans would incorporate checks
for use of poor functions such as strcpy et al, and developers would need to
ensure themselves that they follow the law..... higher salaries go to those
who can..........

I think no risk disclaimers on software only goes to push the tech industry
in to cheap money making arena rather than a professional one.



Richard Scott   
Information Security
? Tel: (001) -952-995-5432
? Fax: (001) -952-996-4830
? Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA
The views expressed in this email do not represent Best Buy
or any of its subsidiaries.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards