Interesting tidbit in iDefense Security Advisory 06.26.07

[paco at cigital.com (Paco Hope)]

On 6/26/07 4:25 PM, "Wall, Kevin" <Kevin.Wall at qwest.com> wrote:

I mean, was the fix really rocket science that it had to take THAT LONG??? IMHO, no excuse for taking that long.

8 months seems awfully long, but it doesn't surprise me that a big organization takes a really long time to get things 
like this out the door. I have worked with a lot of software companies over the years, and few have their entire test 
suite (unit, integration, system, regression) fully automated. It just doesn't work that way. People on this list would 
be just as condemning of a company that rushed a fix out the door with inadequate testing and managed to ship a new 
buffer overflow in the fix for an old one. Furthermore, it's not like the source code had been sitting idle with no 
modifications to it. They were surely in the middle of a dev cycle where they were adding lots of features and testing 
and so on. They have business priorities to address, since those features (presumably) are what bring revenue in the 
door and keep competitors off their market turf.

So, if everyone dropped everything they were doing and focused solely on fixing this one issue and doing a full battery 
of tests until it was release-worthy, it would have gone out a lot faster. But a company that did that on every bug 
that was reported would get no features released and go out of business. They have to weigh the impact of missing 
product goals versus the risk of exploits of a buffer overflow. I'm not sure we can categorically say (none of us being 
RealNetworks people) that they made the wrong decision. We don't have the information.

Paco
--
Paco Hope, CISSP
Technical Manager, Cigital, Inc
http://www.cigital.com/ * +1.703.585.7868
Software Confidence. Achieved.