> Message du 04/06/14 05:40 > De : "coderman" > > On Tue, Jun 3, 2014 at 6:06 PM, wrote: > > ... > > Your proposal [building meaningful security in from the start] would cause > > 99% of software currently in use to be rejected and make the development > > costs increase as astronomically as to be compared to medical research. > > 1% making the cut is a far too generous estimate, perhaps 1% of 1%. as > for the cost issue, which must be paid somewhere, > > > you make two assumptions: > > first, assuming the externalities of insecure systems are simply > non-exist-ant. the costs of our pervasive vulnerability are > gargantuan, yet the complexity and cost of robust alternatives > instills paralysis. (this lack of significant progress in development > of secure systems feeds your defeatist observations; it's ok ;) >
I kind of feel like an ant looking at the task of moving a mountain. > second, that the schedules and styles of development as we currently > practice it will always be. if you solved a core (commodity) infosec > problem once, very well, in a way that could be widely adopted, you > would only need to implement it once! (then spending five years and > ten fold cost building to last becomes reasonable) > Yah no, we never know when a problem is really solved. We may consider it solved, then someone comes and breaks it for us. Not even formal proofs stand forever.
