Secure Coding mailing list archives

Re: Re: Application Insecurity --- Who is at Fault?

From: Damir Rajnovic <gaus () cisco com>
Date: Mon, 11 Apr 2005 21:19:47 +0100

On Mon, Apr 11, 2005 at 12:21:30PM +1000, Michael Silk wrote:

 Back to the bridge or house example, would you allow the builder to
leave off 'security' of the structure? Allow them to introduce some
design flaws to get it done earlier? Hopefully not ... so why is it
allowed for programming? Why can people cut out 'security' ? It's not
extra! It's fundamental to 'programming' (imho anyway).


Even builders and architects do experiment and introduce new things.
Not all of these are outright success. We have a wobbly bridge in UK and
there is(was) new terminal at Charles de Gaulle airport in Paris.

Every profession makes mistakes. Some are more obvious and some not. I am
almost certain that architects can tell you many more stories where
things were not done as secure as they should have been.

Comparisons can be misleading.

Gaus

==============
Damir Rajnovic <[EMAIL PROTECTED]>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt>      Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There are no insolvable problems.
The question is can you accept the solution?

Current thread:

Re: Re: Application Insecurity --- Who is at Fault?, (continued)
- - - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 12)
    - Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
    - Adding some unexpected reliability expectations ljknews (Apr 13)
    - Re: Adding some unexpected reliability expectations Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 13)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 14)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 14)
    - Re: Re: Application Insecurity --- Who is at Fault? Damir Rajnovic (Apr 11)
    - RE: Re: Application Insecurity --- Who is at Fault? Yousef Syed (Apr 11)
    - Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? ljknews (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? Julie JCH Ryan, D.Sc. (Apr 08)
    - Re: Application Insecurity --- Who is at Fault? Crispin Cowan (Apr 08)
    - Re: Application Insecurity --- Who is at Fault? George Capehart (Apr 19)
    - Re: [ot] Application Insecurity --- Who is at Fault? Pete Shanahan (Apr 10)
    - Re: Application Insecurity --- Who is at Fault? secureCoding2dave (Apr 07)
    - RE: Application Insecurity --- Who is at Fault? Yousef Syed (Apr 10)

(Thread continues...)