Re: Sad state of affairs

[Jeffrey Walton <noloader () gmail com>]

On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller <b.g.miller () gmail com> wrote:
> I was just listening to a podcast interviewing a security executive from a
> prominent vendor.  The response to vulnerabilities was to raise the
> cost/complexity of exploiting bugs rather than actually employing secure
> coding practices.  What saddened me most was that the approach was
> apparently effective enough.
+1. Software security is in a sad state. What I've observed: let the
developers deliver something, then have it pen tested, and finally fix
what the pen testers find. I call it "catch me if you can" security.

I think the underlying problem is the risk analysis equations. Its
still cost effective to do little or nothing. Those risk analysis
equations need to be unbalanced.

And I don't believe this is the solution:
http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems.
Too many carrots and too few sticks means it becomes more profitable
to continue business as usual.

Jeff
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________