Secure Coding mailing list archives
Open Source Code Contains Security Holes -- Open Source -- InformationWeek
From: coley at linus.mitre.org (Steven M. Christey)
Date: Thu, 10 Jan 2008 16:31:19 -0500 (EST)
Another question is how many of the reported bugs wound up being false positives. Through casual conversations with some vendor (I forget whom), it became clear that the massive number of reported issues was very time-consuming to deal with, and not always productive. Of course this is no surprise to people on this list, but important to note. Regarding vendor responses - through my work in CVE, I've noticed that eventually, a developer who's been "tagged" often enough will eventually develop more systematic responses such as secure APIs, coding standards, or at least a thorough review. This is briefly touched on in the Unforgivable Vulnerabilities paper that I gave at Black Hat USA last year, where I discuss vulnerability complexity as a qualitative indicator of software security. - Steve
Current thread:
- Open Source Code Contains Security Holes -- Open Source -- InformationWeek Kenneth Van Wyk (Jan 10)
- Open Source Code Contains Security Holes -- Open Source -- InformationWeek Gary McGraw (Jan 10)
- Open Source Code Contains Security Holes -- Open Source -- InformationWeek Steven M. Christey (Jan 10)