Secure Coding mailing list archives
Re: The problem is that user management doesn't demand security
From: Michael Cassidy <cassidy () panix com>
Date: Wed, 10 Dec 2003 17:14:18 +0000
At 2:47 PM -0600 12/9/03, Stephen Galliver wrote:
Buying from the competition is the most obvious idea, but with a market segment [1] in a race to the bottom (the cheapest set of the most features), there may not be a secure alternative.
This only works if there is a real choice. Until recently the only choice for publishing was QuarkXpress and QPS. There was no other product. For OS in desktop computers its been Windows; only publishing is using MAC; and Linux is really not ready for end users.
Once you have chosen the best product you can, the vendor has your money. How then to apply pressure to squash bugs and fill holes? The current model uses a mix of extortion (fix this hole or I release it to the world) and loss of brand value or reputation (fix this bug or everyone will know you don't support your customers). Without passing judgment on the current model, is there another way?
This assumes that the end users knows its a bug as oppose to a mistake he made. When you're talking about Photoshop, QuarkXpress, Word, Windows, MAC OS, Lotus Notes and other big programs how does and end users who is only trying to write a letter or clean up a image know wherther its him, the program the OS or the hardware? As for management, how many actually handle the software? Most relie on the end user; and then how many really know enough to distinguish between user mis-use, and software, OS and hardware bugs? [Ed. Let's close out this thread, please -- or at least bring it back to the topic of _developing_ secure software. KRvW] ------------------------------------------------------------------ Jazz is freedom. - T. Monk http://www.panix.com/~cassidy [Public key available.]
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes, (continued)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)
- Re: The problem is that user management doesn't demand security Julie Ryan (Dec 11)