Secure Coding mailing list archives

Re: Application Insecurity --- Who is at Fault?

From: dtalk-ml () prairienet org
Date: Sun, 10 Apr 2005 22:00:12 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Margus Freudenthal wrote:


Consider the bridge example brought up earlier. If your bridge builder
finished the job but said: "ohh, the bridge isn't secure though. If
someone tries to push it at a certain angle, it will fall".


Ultimately it is a matter of economics. Sometimes releasing something earlier 
is worth more than the cost of later patches. And managers/customers are aware 
of it.


Unlike in the world of commercial software, I'm pretty sure you don't 
see a whole lot of construction contracts which absolve the architect of 
liability for design flaws.  I think that is at the root of our 
problems.  We know how to write secure software; there's simply precious 
little economic incentive to do so.


- --
David Talkington
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCV24Q5FKhdwBLj4sRAoC9AKCb6j5dKOLgFwDMuVa8giSbMvmW2gCfdwn7
QcS6J7NVPFsISzhLoBgQWHM=
=0ZSy
-----END PGP SIGNATURE-----

Current thread:

Application Insecurity --- Who is at Fault? Kenneth R. van Wyk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
  - Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 06)
    - Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
    - Re: Application Insecurity --- Who is at Fault? Blue Boar (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? Margus Freudenthal (Apr 07)
    - Re: Application Insecurity --- Who is at Fault? dtalk-ml (Apr 10)
    - Re: Application Insecurity --- Who is at Fault? ljknews (Apr 10)
    - RE: Re: Application Insecurity --- Who is at Fault? Edward Rohwer (Apr 10)
    - Re: Re: Application Insecurity --- Who is at Fault? Crispin Cowan (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Kenneth R. van Wyk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
    - RE: Re: Application Insecurity --- Who is at Fault? Chris Matthews (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)
    - Re: Re: Application Insecurity --- Who is at Fault? der Mouse (Apr 12)
    - Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 12)

(Thread continues...)