Secure Coding mailing list archives
Interesting tidbit in iDefense Security Advisory 06.26.07
From: paco at cigital.com (Paco Hope)
Date: Tue, 26 Jun 2007 17:56:04 -0400
On 6/26/07 4:25 PM, "Wall, Kevin" <Kevin.Wall at qwest.com> wrote: I mean, was the fix really rocket science that it had to take THAT LONG??? IMHO, no excuse for taking that long. 8 months seems awfully long, but it doesn't surprise me that a big organization takes a really long time to get things like this out the door. I have worked with a lot of software companies over the years, and few have their entire test suite (unit, integration, system, regression) fully automated. It just doesn't work that way. People on this list would be just as condemning of a company that rushed a fix out the door with inadequate testing and managed to ship a new buffer overflow in the fix for an old one. Furthermore, it's not like the source code had been sitting idle with no modifications to it. They were surely in the middle of a dev cycle where they were adding lots of features and testing and so on. They have business priorities to address, since those features (presumably) are what bring revenue in the door and keep competitors off their market turf. So, if everyone dropped everything they were doing and focused solely on fixing this one issue and doing a full battery of tests until it was release-worthy, it would have gone out a lot faster. But a company that did that on every bug that was reported would get no features released and go out of business. They have to weigh the impact of missing product goals versus the risk of exploits of a buffer overflow. I'm not sure we can categorically say (none of us being RealNetworks people) that they made the wrong decision. We don't have the information. Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved.
Current thread:
- Interesting tidbit in iDefense Security Advisory 06.26.07 Kenneth Van Wyk (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Wall, Kevin (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Steven M. Christey (Jun 26)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 26)
- The Next Frontier Paco Hope (Jun 27)
- The Next Frontier ljknews (Jun 27)
- The Next Frontier Steven M. Christey (Jun 27)
- The Next Frontier McGovern, James F (HTSC, IT) (Jun 28)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Paco Hope (Jun 26)
- Interesting tidbit in iDefense Security Advisory 06.26.07 Leichter, Jerry (Jun 27)
- Comparing Software Vendors McGovern, James F (HTSC, IT) (Jun 28)