Re: Curious questions...

[Tom Van Vleck <thvv () multicians org>]

> The reason for my questions is simple: There seems to be a huge
> [technology/awareness] gap between the people that build
> software/hardware/systems and the people that find holes in those
> systems. Both sets of people are fairly competent in what they do.

Current commercial products are not built to be secure.
The people building these products are "competent" at building
insecure systems.  There are several ways to break insecure
systems, and patient and ingenious programmers are "competent"
at eventually finding them.  This is as interesting as
Three Card Monte.


> What I'm really leading to is, how can we, as people involved in the
> security industry, address and fix this gap? Full-disclosure is fine
> and dandy, but it doesn't get to the root cause early enough.

There are four steps to secure systems.  I wrote about this in
  http://www.multicians.org/thvv/nasty.html
with regard to quality in general, but it applies to system security.
A development organization that is not committed, top to bottom, to
zero security defects will end up producing insecure systems.
Security has to be built into system architecture, process, and tools.
A large system whose security requirements are met by depending on care
and skill will produce insecure systems.

People set out to build cheap systems, and the cost of systems has
dropped by more than 5 orders of magnitude. They didn't want secure
systems, because it would cost more.  The "gap" is that some folks
wish their cheap systems were secure, and use them as if they were.
Evolution should take care of this: in the long run this is not
survival behavior.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.