Re: tunnel vs open a hole

[George Capehart <capegeo () opengroup org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 10 April 2003 09:07 am, R. DuFresne wrote:
> It seems that the real power holder in the whole debate is perhaps
> that identity having been pointed to and referenced more frequently
> in recent rants on coding styles and such;  the consumer.  On that
> bent, perhaps a holding of breath for change to take place in forcing
> companies and their coders and such to pay more attention to the
> details of secureity and bounds checks and all, might well result in
> a number of purple heads/faces blowing up under-pressure.  Afterall,
> we as a buying public still payout large sums of cash yearly for
> SUV's that almost need a direct link to a gas pump, roll over wiht
> slight twists of the steering mechanics to avoind obsticles, and do
> extremely poorly in crash tests.  Even with seatbelts and airbags
> installed, under federal regulations.

I'm replying to the list 'cause I'm going to include comments from 
others in this thread rather than reply to them individually.

Jeffrey Behm sorta kicked things off when he lamented the absence of 
(even) basic secure coding practices in most software.

Over the course of the thread, mjr has made several points:
  o  "It's an across the board problem. I think there's enough blame to 
go around, honestly. :)"  -- Hard not to agree with this.
  o  "Hence, UCITA, to head off just that eventuality." -- So don't even 
think about recourse . . .
  o  The point about "Continuing to put your good money down on crap 
that you know is crap eventually loses you your moral position from 
which to complain if what you get is crap."  This is a valid position.  
Problem I see here is that in almost all of the cases of which I am 
aware, the people who make the decision to continue to buy crap either 
don't know it's crap or don't care.  This points to what will become 
the theme of this message.

Adam Shostack made the point: "At the end of the day, its the customers, 
who need to have a good reason to care about security, and good 
assurance that their spending has an effect."

Mike Frantzen's point:  "Lesson learned, just do it right."

Then there is Ron DuFresne's jewel:  "On that bent, perhaps a
holding of breath for change to take place in forcing companies and 
their coders and such to pay more attention to the details of secureity 
and bounds checks and all, might well result in a number of purple 
heads/faces blowing up under-pressure."

To me this all ends up as a governance and accountability issue.  There 
certainly is enough blame to go around.  This is not an intractable 
problem.  IMHO, the reason it is not being managed is that no one is 
being held accountable for not "doing it right."  Why is that?  It is 
not important.  *That* makes it a governance issue.  How does one get 
the attention of a Board of Directors?  Good question.  
Someone/something got Bill Gates' attention . . .

Suggestions will be greatly appreciated.  :>

FWIW
- --
George Capehart

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+lYrmYxuy9mPw9kIRAjWlAJ4ol7qFGXxJGIRc1jW9hy4exwKpcACfW4kC
MMgyiOJ9pWvxzYUuFoW5w9M=
=ng/1
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards