Secure Coding mailing list archives
Re: Any software security news from the RSA conference?
From: Mark Curphey <mark () curphey com>
Date: Fri, 27 Feb 2004 02:26:32 +0000
Looks like the link I was pointing to didn't make it Here it is again http://news.zdnet.co.uk/internet/security/0,39020375,39147413,00.htm And the text below Software makers could eliminate most current security issues if they only tried harder, according to a Homeland Security advisor An advisor to the US' Homeland Security Council has lashed out at software developers, arguing their failure to deliver secure code is responsible for most security threats. Retired lieutenant general John Gordon, presidential assistant and advisor to the Homeland Security Council, used his keynote address at the RSA Security conference in San Francisco on Wednesday to question how much effort developers are putting into ensuring their code is watertight. "This is a problem for every company that writes software. It cannot be beyond our ability to learn how to write and distribute software with much higher standards of care and much reduced rate of errors and much reduced set of vulnerabilities," he said. Gordon's keynote followed a day after that of Microsoft chairman Bill Gates. According to Gordon, if developers could reduce the error and vulnerability rate by a factor of 10, it would "probably eliminate something like 90 percent of the current security threats and vulnerabilities. "Once we start writing and deploying secure code, every other problem in cybersecurity is fundamentally more manageable as we close off possible points of attack," he said. Gordon also criticised wireless network manufacturers for making encryption too difficult to deploy, even for "technically competent" users. He made the comments after explaining that he had spent a long weekend trying to set up a Wi-Fi network at his house. "One manufacturer got to invest an entire man-day of tech support and about eight hours of telephone charges. At the end of the day, I still had not accomplished a successful installation," said Gordon, who eventually managed to get the network running by "taking some steps that were not in the documentation". However, he said the documentation didn't make it clear how to secure his network: "The industry needs to make it easy for users like me -- who are reasonably technically competent -- to employ solid security features and not make it so tempting to simply ignore security." ---- Mark Curphey <[EMAIL PROTECTED]> wrote:
I thought this was interesting. I missed it but I am sure the message will please many on this list (myself included) ---- Bill Cheswick <[EMAIL PROTECTED]> wrote:Bill Gates gave a keynote on their current approach to security, and the contents of SP2, due out 1H 2004. From what I heard, Bill "gets it." He addressed about 4 of my top 6 complaints and remediations. Quite a change from the rhetoric of five years ago. But it is an Augean stable, and they have a long way to go. Of course, the devil is in the details, and we will have to see. On Wed, Feb 25, 2004 at 02:38:32PM -0500, Kenneth R. van Wyk wrote:Greetings, It's been a rather quiet week so far here on SC-L. I guess that everyone is either at the RSA conference (http://2004.rsaconference.com/) or otherwise too busy. I've been watching some of the reports that have been appearing in the trade press regarding announcements and such at the RSA conference (http://news.com.com/2009-7355_3-5163628.html?part=rss&tag=feed&subj). Most of the announcements seem to me to focus on new and upcoming products. While that's all well and good, I don't see anyone addressing issues of software security -- which probably shouldn't come as much of a surprise since software security is not even addressed in the conference theme/agenda (http://2004.rsaconference.com/agenda.aspx). Disappointing... Perhaps some kind SC-L subscriber that's at the conference will pass along any "software security sightings"? ;-) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Any software security news from the RSA conference? Kenneth R. van Wyk (Feb 25)
- <Possible follow-ups>
- RE: Any software security news from the RSA conference? Gary McGraw (Feb 26)
- Re: Any software security news from the RSA conference? Bill Cheswick (Feb 26)
- Re: Any software security news from the RSA conference? jnf (Feb 27)
- Re: Any software security news from the RSA conference? ljknews (Feb 27)
- RE: Any software security news from the RSA conference? Alun Jones (Mar 01)
- Re: Any software security news from the RSA conference? Mark D. Rockman (Mar 02)
- Re: Any software security news from the RSA conference? Mark Curphey (Feb 26)
- Re: Any software security news from the RSA conference? Mark Curphey (Feb 26)
- Humor: Re: Any software security news from the RSA conference? Dave Aronson (Feb 27)
- RE: Any software security news from the RSA conference? Dave Paris (Feb 27)
- RE: Any software security news from the RSA conference? ljknews (Mar 01)