Firewall Wizards mailing list archives
RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Wed, 8 Aug 2001 11:19:13 -0500
<snip> I would love for god to give me the all in one product to secure my IT, and finally spare me some time for the things like sand and beach and... But sadly one has to think hard and build it from building blocks. <snip> Ok this is my last two cents. Reading the threads, it seems that people were focused on applying their effort fixing the problem. The main culprit for buffer overflows is poor engineering. I think people forget that when we get down to it, we are scientists, playing with and engineering with many components. However, I see many developers and network admins who are all clobbered. That is, business drives the market that drives the production of software. This consumable has no regulatory in effect, and hence is very similar to building buildings, cars, or anything else with out following engineering standards and legal laws. Contracts, do not prevent such errors in engineering. The reason why this is case is that contracts do not enforce good practice when dealing with software. If the software isn't good in many contracts, the money is not paid on the next quarter's license. Engineering standards should be made and people should expect that this qualification should be a must. If a developer goes against such standards, they could be fired, or released. This would then make for a volatile market, and real developers would get paid decent money, whilst the cowboys would not. Take Doctors as a sample. Any doctor going against medical opinion, that is published and adhere to, can be sued. Malpractice is a better word for it. The same should apply to engineers of software, just like engineers of buildings, airplanes and space shuttles. The problem often seen is that low grade employment is used to produce a high quality product. Joe Bloggs with his Visual Monkey ++ Certification and Mickey Mouse with his PHd in Business therapy have been drafted in by consulting companies to produce critical code. You can't do this in any other industry for which legislation can be made for malpractice. Cheers r. Richard Scott Information Security ? Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Balazs Scheidler (Aug 11)
- <Possible follow-ups>
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 10)