(For example, http://webcache.googleusercontent.com/search?q=cache:2cXGaaHnqyMJ:www.computerworld.com/s/article/9235954/Researchers_find_critical_vulnerabilities_in_Java_7_Update_11+&cd=8&hl=en&ct=clnk&gl=uk)
On Sun, Apr 21, 2013 at 12:37 AM, Benji <m...@b3nji.com> wrote: > Because security engineers are different to a QA department you originally > suggested, and you seem to be very ideologist about the scenarios. As we've > seen, Oracle's Java product has security engineers and this has not > prevented flaws. > > > On Sun, Apr 21, 2013 at 12:34 AM, Bryan <br...@unhwildhats.com> wrote: > >> "Your 5-chained-0day-to-code-exec, in my opinion, does not count as >> negligence and comes from the developer effectively not being a >> security engineer" >> Solution: Hire security engineers. >> >> "In my opinion we are not at the stage in industry where we can >> consider/expect any developer to think through each implication of >> each feature they implement" >> Solution: Hire security engineers to think through each implication. >> >> Why are we disagreeing? >> >> On Sun, Apr 21, 2013 at 12:11:51AM +0100, Benji wrote: >> > Your proposition was that developers will always make mistakes and >> > introduce stupid problems, so a QA team/process is necessary. While I >> > agree that there should be a QA/'audit' at some point, it shouldnt >> be the >> > stage that is relied on. Applications that are flawed from the design >> > stage onwards will become expenditure blackholes, especially after >> going >> > through any QA process which should highlight these. >> > Potentially yes, but most of the larger companies appear to already >> do >> > this. A quick search through google shows that Oracle atleast already >> > have, and/or are actively hiring security engineers involved with >> Java >> > (for example). >> > Flaws will always pop up and I think we may now be bordering on >> discussing >> > what counts as negligence in some cases. Your >> 5-chained-0day-to-code-exec, >> > in my opinion, does not count as negligence and comes from the >> developer >> > effectively not being a security engineer, but doing the job of a >> > developer. In my opinion we are not at the stage in industry where >> we can >> > consider/expect any developer to think through each implication of >> each >> > feature they implement, without a strong security background as much >> as we >> > may appreciate it. Negligence in my opinion of security >> vulnerabilities is >> > having obvious format string bugs/buffer overflows when handling user >> > input for example, or incorrect permissions, or just a lack of >> > consideration to obvious problems. Developer training should pick up >> on >> > the obvious bugs, or atleast give developers an understanding of how >> to >> > handle users/user input in a safe manner, and know the implications >> of not >> > doing so. >> > >> > On Sat, Apr 20, 2013 at 11:58 PM, Bryan <br...@unhwildhats.com> >> wrote: >> > >> > I think the definition of 'needless staff' highly depends on >> whether you >> > want 'vulnerable software'. >> > >> > Educating current developers is absolutely a good idea, but still >> not >> > foolproof. The bottom line is that if you want safe software, you >> need >> > to invest in proper development. As far as I am concerned, for >> large >> > companies like Adobe and Oracle, where software bugs in your >> product >> > have a direct impact on the safety of your customers, that involves >> > hiring specialized staff. >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/