bumper sticker slogan for secure software

[vanderaj at greebo.net (Andrew van der Stock)]

Actually, it is a myth.

For every non-trivial system, there are business pressures on  
resourcing, deadlines, and acceptable quality (pick any two). Once a  
business has set their taste for risk, it makes no sense to spend say  
$10m on security controls on a product and delay it for six months  
which may only bring in $2m in revenue in total, or none at all if  
the company runs out of money to bring it to market.

At the moment, most companies neither accept or assign the risk,  
enumerate the risk correctly, nor take adequate steps to eliminate as  
much risk as possible. We need to improve all three aspects. Even in  
a perfect world, there will still be bugs and security defects. Let's  
make sure that the remaining ones are really hard to exploit, and  
when the exploit happens, not much loss occurs.

thanks,
Andrew

On 19/07/2006, at 10:59 AM, mikeiscool wrote:

> > Absolute security is a myth.
>
> no it isn't. pretending it is a 'myth' is an attempt by sloppy
> programmers and designers to explain away the reasons for their
> applications failing.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2234 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20060720/a1a1e54b/attachment.bin