Secure Coding mailing list archives
Re: The problem is that user management doesn't demand security
From: Andreas Saurwein <saurwein () uniwares com>
Date: Wed, 10 Dec 2003 16:25:22 +0000
At 9/12/2003 18:47 Tuesday, you wrote: I admit this next question may point to a lack of imagination on my part, but as a customer/end-user, *how* do you hold a vendor accountable for security? Once you have chosen the best product you can, the vendor has your money. How then to apply pressure to squash bugs and fill holes? The current model uses a mix of extortion (fix this hole or I release it to the world) and loss of brand value or reputation (fix this bug or everyone will know you don't support your customers). Without passing judgment on the current model, is there another way? Experience shows that most ISVs are more than happy when you report bugs to them. We, as developers are better qualified than anyone else to do this. We know what is important in a bug report, what to tell, how to explain it. People appreciate that. Often they even reward you with various things like free licenses of their product, gimmicks, t-shirts or other more or less useful stuff. Give it a try and see for yourself. Of course, mailing support with "it does not work" is not very helpful. But mailing them with "I get a page fault in your xxx.dll when I do this or that, see attached mini-dump" is more then helpful. There is an amazing number of really good software producers out there, but the number of "good customers" is low. Its like going to a restaurant and not complaining about bad food. They will never know and thus not change anything. Andreas
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes Jerry Connolly (Dec 03)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)
- Re: The problem is that user management doesn't demand security Julie Ryan (Dec 11)