Re: Re: Application Insecurity --- Who is at Fault?

[der Mouse <mouse () Rodents Montreal QC CA>]

> > > I would question you if you suggested to me that you always assume
> > > to _NOT_ include 'security' and only _DO_ include security if
> > > someone asks.
> > "Security" is not a single thing that is included or omitted.
> Again, in my experience that is not true.  Programs that are labelled
> 'Secure' vs something that isn't.

*Labelling as* secure _is_ (or at least can be) something that is
boolean, included or not.  The actual security behind it, if any, is
what I was talking about.

> In this case, there is a single thing - Security - that has been
> included in one and not the other [in theory].

Rather, I would say, there is a cluster of things that have been boxed
up and labeled "security", and included or not.  What that box includes
may not be the same between the two cases, even, never mind whether
there are any security aspects that aren't in the box, or non-security
aspects that are.

> Also, anyone requesting software from a development company may say:
> "Oh, is it 'Secure'?"  Again, the implication is that it is a single
> thing included or omitted.

Yes, that is the implication.  It is wrong.

The correct response to "is it secure?" is "against what threat?", not
"yes" or "no".  I would argue that anyone who thinks otherwise should
not be coding or specifying for anything that has a significant cost
for a security failure.  (Which is not to say that they aren't!)

/~\ The ASCII                                der Mouse
\ / Ribbon Campaign
 X  Against HTML               [EMAIL PROTECTED]
/ \ Email!             7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B