The only point that I was trying to make is that there needs to be more of an investement in the security facet of software development, and that if a company is not willing to invest the resources to create a secure product, not to whine when they get hacked.
On Sun, Apr 21, 2013 at 12:43:15AM +0100, Benji wrote: > Sorry, by flaws, I should have said, *"has not prevent bad > code/ineffective patches from being pushed out" > > On Sun, Apr 21, 2013 at 12:41 AM, Benji <[email protected]> wrote: > > (For > example, > http://webcache.googleusercontent.com/search?q=cache:2cXGaaHnqyMJ:www.computerworld.com/s/article/9235954/Researchers_find_critical_vulnerabilities_in_Java_7_Update_11+&cd=8&hl=en&ct=clnk&gl=uk > ) > > On Sun, Apr 21, 2013 at 12:37 AM, Benji <[email protected]> wrote: > > Because security engineers are different to a QA department you > originally suggested, and you seem to be very ideologist about the > scenarios. As we've seen, Oracle's Java product has security engineers > and this has not prevented flaws. > > On Sun, Apr 21, 2013 at 12:34 AM, Bryan <[email protected]> wrote: > > "Your 5-chained-0day-to-code-exec, in my opinion, does not count as > negligence and comes from the developer effectively not being a > security engineer" > Solution: Hire security engineers. > "In my opinion we are not at the stage in industry where we can > consider/expect any developer to think through each implication of > each feature they implement" > Solution: Hire security engineers to think through each implication. > > Why are we disagreeing? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
