On Monday, 08/21/2006 at 12:20 CST, "Jeffrey D. Smith" <[EMAIL PROTECTED]> wrote: > When I point out gross errors like that to the "product author", the > response is: (1) they didn't understand exposure, and (2) their product > was too far into development to change it, and (3) if the customer doesn't > know about it then it won't hurt them.
This is an arena where requiring (for example) Common Criteria certification with a "+" (e.g. EAL3+) can come in handy. To achieve said certification, they have to demonstrate an effective flaw remediation process for security issues. It is something to consider when discussing your security requirements with your vendors. (Have them weigh that requirement against their willingness to put SAF calls in their authorized SVCs.) Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
