At 10:09 AM -0500 4/1/04, Gary McGraw wrote: >Hi all, > >I have done lots of soul searching lately and have come to the >conclusion that trying to make software secure is not worth the effort. >I think instead we should concentrate more effort on protection >technologies such as advanced stateful firewalls, intrusion detection >mechanisms, host-based behavior control, and above all policy. We >simply can't make software work effectively in a cost effective manner. > >I hope all of you will agree.
I realize it is April Fools day, but all the "host-based behavior control" I have encountered is implemented by operating system software. If that software cannot be made secure, there is no hope. The major timewasting I see in software security is the leap of faith from: theoretically, safe code can be written in any language to: using "any language" to write safe code can be done within real-world economic constraints.