At 10:09 AM -0500 4/1/04, Gary McGraw wrote:
>Hi all,
>
>I have done lots of soul searching lately and have come to the
>conclusion that trying to make software secure is not worth the effort.
>I think instead we should concentrate more effort on protection
>technologies such as advanced stateful firewalls, intrusion detection
>mechanisms, host-based behavior control, and above all policy. We
>simply can't make software work effectively in a cost effective manner.
>
>I hope all of you will agree.
I realize it is April Fools day, but all the "host-based behavior
control" I have encountered is implemented by operating system software.
If that software cannot be made secure, there is no hope.
The major timewasting I see in software security is the leap of faith
from:
theoretically, safe code can be written in any language
to:
using "any language" to write safe code can be done within
real-world economic constraints.
