Secure Coding mailing list archives
Re: Re: Application Insecurity --- Who is at Fault?
From: Michael Silk <michaelslists () gmail com>
Date: Wed, 13 Apr 2005 15:36:07 +0100
On 4/13/05, der Mouse <[EMAIL PROTECTED]> wrote:
I would question you if you suggested to me that you always assume to _NOT_ include 'security' and only _DO_ include security if someone asks."Security" is not a single thing that is included or omitted.Again, in my experience that is not true. Programs that are labelled 'Secure' vs something that isn't.*Labelling as* secure _is_ (or at least can be) something that is boolean, included or not. The actual security behind it, if any, is what I was talking about.In this case, there is a single thing - Security - that has been included in one and not the other [in theory].Rather, I would say, there is a cluster of things that have been boxed up and labeled "security", and included or not. What that box includes may not be the same between the two cases, even, never mind whether there are any security aspects that aren't in the box, or non-security aspects that are.Also, anyone requesting software from a development company may say: "Oh, is it 'Secure'?" Again, the implication is that it is a single thing included or omitted.Yes, that is the implication. It is wrong.
I couldn't agree more! This is my whole point. Security isn't 'one thing', but it seems the original article [that started this discussion] implied that so that the blame could be spread out. If you actually look at the actual problems you can easily blame the programmers :) -- Michael
Current thread:
- Re: Re: Application Insecurity --- Who is at Fault?, (continued)
- Re: Re: Application Insecurity --- Who is at Fault? Kenneth R. van Wyk (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
- RE: Re: Application Insecurity --- Who is at Fault? Chris Matthews (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 12)
- Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
- Adding some unexpected reliability expectations ljknews (Apr 13)
- Re: Adding some unexpected reliability expectations Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 13)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 13)
- Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 13)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 14)
- Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 14)
- Re: Re: Application Insecurity --- Who is at Fault? Damir Rajnovic (Apr 11)
- RE: Re: Application Insecurity --- Who is at Fault? Yousef Syed (Apr 11)
- Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 07)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 07)
- Re: Application Insecurity --- Who is at Fault? ljknews (Apr 07)
- Re: Application Insecurity --- Who is at Fault? Julie JCH Ryan, D.Sc. (Apr 08)
- Re: Application Insecurity --- Who is at Fault? Crispin Cowan (Apr 08)