funsec mailing list archives
Re: Curious questions...
From: Drsolly <drsollyp () drsolly com>
Date: Mon, 24 Oct 2005 22:44:53 +0100 (BST)
- What tools did you use to help you find these vulnerabilities?1) we had a QA department, whose job was to find bugs, as well as test that the product found the viruses and didn't give false alarms. 2) But the ultimate testing was done by users, who have a far more diverse set of systems than any QA department could have.So was this during the beta cycle or after the product was released? If it was the latter, then that means you had to generate minor-releases and customers had to install patches and so on. Now if
In the context of an antivirus, where you *know* you're going to be issuing monthly upgrades, there is no issue of "minor releases" and "patches".
you were a vendor with over million lines of code, 5 different major releases, 20 different customer special releases, 13 different os/cpu platforms, it certainly takes a while to respond to
We had about a dozen platforms, but a common code base. We only ever had one major release at a time; people had to upgrade. We refused to do "customer special releases", we'd always explain to the customer that it would be hazardous for him to have something like that. But we did have ways that people could "customise" the product for their own company.
bugs^H^H^H^Hvulnerabilities found in the field. I have nothing for or against vendors, but it seemed that in all the full-disclosures and advisories the complexities/practicalities of fixing a problem, post deployment, were silently ignored. We tend to quickly point the fact that so-and-so had an open vulnerability for over 4 months and they haven't done anything to fix it. Just to point this thread in the right direction, what do you think we can do to bring security [awareness/knowledge/know-how] into the development process?
You can't, except maybe for security products (and often not even then). It's very simple - there's no demand for secure products; users don't want them. So the market, supplying what is wanted, doesn't supply secure products. Maybe you're asking the wrong question here. Maybe the question shouldn't be "how do we persuade developers to write secure products?". Maybe the question should be "How do we persuade info security people to stop worrying about providing something that users don't want?" I cite the example of tobacco; in any world that cared about human safety, tobacco would be illegal. In our world that allows people to harm themselves as much as they want to, tobacco is omnipresent.
People are writing code all over like there's no tomorrow and we, as a software industry, haven't learned much since the morris worm. Well, we might have learned a thing or two, but it's definitely not made it back to the average developer out there.
The "average developer" writes html using dreamweaver and calls it "development". The advanced ones write Basic and think they're the bees knees. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Drsolly (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Drsolly (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Gary Warner (Oct 24)
- Re: Curious questions... Gary Warner (Oct 24)
- Re: Curious questions... Nick FitzGerald (Oct 24)
- Re: Curious questions... Tom Van Vleck (Oct 24)
- Re: Curious questions... Nick FitzGerald (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Florian Weimer (Oct 24)
- Re: Curious questions... Aviram Jenik (Oct 25)
- <Possible follow-ups>
- RE: Curious questions... Blanchard_Michael (Oct 24)
- RE: Curious questions... Drsolly (Oct 24)
- Re: Curious questions... Drsolly (Oct 24)