Sorry, by flaws, I should have said, *"has not prevent bad code/ineffective patches from being pushed out"
On Sun, Apr 21, 2013 at 12:41 AM, Benji <[email protected]> wrote: > (For example, > http://webcache.googleusercontent.com/search?q=cache:2cXGaaHnqyMJ:www.computerworld.com/s/article/9235954/Researchers_find_critical_vulnerabilities_in_Java_7_Update_11+&cd=8&hl=en&ct=clnk&gl=uk) > > > On Sun, Apr 21, 2013 at 12:37 AM, Benji <[email protected]> wrote: > >> Because security engineers are different to a QA department you >> originally suggested, and you seem to be very ideologist about the >> scenarios. As we've seen, Oracle's Java product has security engineers and >> this has not prevented flaws. >> >> >> On Sun, Apr 21, 2013 at 12:34 AM, Bryan <[email protected]> wrote: >> >>> "Your 5-chained-0day-to-code-exec, in my opinion, does not count as >>> negligence and comes from the developer effectively not being a >>> security engineer" >>> Solution: Hire security engineers. >>> >>> "In my opinion we are not at the stage in industry where we can >>> consider/expect any developer to think through each implication of >>> each feature they implement" >>> Solution: Hire security engineers to think through each implication. >>> >>> Why are we disagreeing? >>> >>> On Sun, Apr 21, 2013 at 12:11:51AM +0100, Benji wrote: >>> > Your proposition was that developers will always make mistakes and >>> > introduce stupid problems, so a QA team/process is necessary. While >>> I >>> > agree that there should be a QA/'audit' at some point, it shouldnt >>> be the >>> > stage that is relied on. Applications that are flawed from the >>> design >>> > stage onwards will become expenditure blackholes, especially after >>> going >>> > through any QA process which should highlight these. >>> > Potentially yes, but most of the larger companies appear to already >>> do >>> > this. A quick search through google shows that Oracle atleast >>> already >>> > have, and/or are actively hiring security engineers involved with >>> Java >>> > (for example). >>> > Flaws will always pop up and I think we may now be bordering on >>> discussing >>> > what counts as negligence in some cases. Your >>> 5-chained-0day-to-code-exec, >>> > in my opinion, does not count as negligence and comes from the >>> developer >>> > effectively not being a security engineer, but doing the job of a >>> > developer. In my opinion we are not at the stage in industry where >>> we can >>> > consider/expect any developer to think through each implication of >>> each >>> > feature they implement, without a strong security background as >>> much as we >>> > may appreciate it. Negligence in my opinion of security >>> vulnerabilities is >>> > having obvious format string bugs/buffer overflows when handling >>> user >>> > input for example, or incorrect permissions, or just a lack of >>> > consideration to obvious problems. Developer training should pick >>> up on >>> > the obvious bugs, or atleast give developers an understanding of >>> how to >>> > handle users/user input in a safe manner, and know the implications >>> of not >>> > doing so. >>> > >>> > On Sat, Apr 20, 2013 at 11:58 PM, Bryan <[email protected]> >>> wrote: >>> > >>> > I think the definition of 'needless staff' highly depends on >>> whether you >>> > want 'vulnerable software'. >>> > >>> > Educating current developers is absolutely a good idea, but still >>> not >>> > foolproof. The bottom line is that if you want safe software, you >>> need >>> > to invest in proper development. As far as I am concerned, for >>> large >>> > companies like Adobe and Oracle, where software bugs in your >>> product >>> > have a direct impact on the safety of your customers, that >>> involves >>> > hiring specialized staff. >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
