Re: Curious questions...

[Drsolly <drsollyp () drsolly com>]

> > > - What tools did you use to help you find these vulnerabilities?
> >
> > 1) we had a QA department, whose job was to find bugs, as well as test
> > that the product found the viruses and didn't give false alarms.
> >
> > 2) But the ultimate testing was done by users, who have a far more diverse
> > set of systems than any QA department could have.
>
> So was this during the beta cycle or after the product was released?
> If it was the latter, then that means you had to generate
> minor-releases and customers had to install patches and so on. Now if

In the context of an antivirus, where you *know* you're going to be 
issuing monthly upgrades, there is no issue of "minor releases" and 
"patches".

> you were a vendor with over million lines of code, 5 different major
> releases, 20 different customer special releases, 13 different os/cpu
> platforms, it certainly takes a while to respond to

We had about a dozen platforms, but a common code base. We only ever had 
one major release at a time; people had to upgrade. We refused to do 
"customer special releases", we'd always explain to the customer that it 
would be hazardous for him to have something like that. But we did have 
ways that people could "customise" the product for their own company.

> bugs^H^H^H^Hvulnerabilities found in the field. I have nothing for or
> against vendors, but it seemed that in all the full-disclosures and
> advisories the complexities/practicalities of fixing a problem, post
> deployment, were silently ignored. We tend to quickly point the fact
> that so-and-so had an open vulnerability for over 4 months and they
> haven't done anything to fix it.
>
> Just to point this thread in the right direction, what do you think we
> can do to bring security [awareness/knowledge/know-how] into the
> development process?

You can't, except maybe for security products (and often not even then).
It's very simple - there's no demand for secure products; users don't want 
them. So the market, supplying what is wanted, doesn't supply secure 
products.

Maybe you're asking the wrong question here. Maybe the question shouldn't 
be "how do we persuade developers to write secure products?". Maybe the 
question should be "How do we persuade info security people to stop 
worrying about providing something that users don't want?"

I cite the example of tobacco; in any world that cared about human safety,
tobacco would be illegal. In our world that allows people to harm
themselves as much as they want to, tobacco is omnipresent.

> People are writing code all over like there's no
> tomorrow and we, as a software industry, haven't learned much since
> the morris worm. Well, we might have learned a thing or two, but it's
> definitely not made it back to the average developer out there.
 
The "average developer" writes html using dreamweaver and calls it 
"development". The advanced ones write Basic and think they're the bees 
knees. 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.