I feel government should not become involved with the internet and/or its 
security.  For one if people look at the governments security most 
departments have a grade of C or below.  Would you want someone like that 
telling you how to secure programming?

Regards,
George
Greenarrow1
InNetInvestigations-Forensics


----- Original Message ----- 
From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 20, 2004 8:07 AM
Subject: Re: [SC-L] Yoran on the state of software security


> Greetings all,
>
> I was asked to clarify what I posted yesterday re Amit Yoran's recent 
> public
> statements on the topic of software security.
>
> On Tuesday 20 April 2004 03:27, an SC-L reader wrote:
> > Ken, could you clarify a little please?
>
> Happy to, see below.
>
> > I detect a slighly snide tone that suggests that you disagree with the
> > assertion that "it is inexplicable to produce software that suffers from
> > buffer overruns".  Is that really your position?  If so, why?
>
> Heavens no!  Sorry for the ambiguity.  Indeed, the issue of buffer 
> overruns is
> probably the principal one that convinced me to co-author Secure Coding 
> with
> Mark Graff.  I'd like to see them become the polio of the tech world.
>
> What I was trying to make light about in my note is whether Yoran got that
> notion from my statement in my TechTV interview -- that we have to focus 
> more
> of our attention at improving software security.  That was where the "me
> neither..." came from, because I have no delusions that he would have 
> caught
> my segment on the show -- or that it would have influenced him in any way
> even if he had.
>
> > Of course there are lots of other security issues (not least "social
> > engineering" ones) but in what way is security /harmed/ by disciplined
> > programming in appropriate languages supported by appropriate tools? 
> > Our
> > experience is that such rigorous software engineering approaches result 
> > in
> > more robust and secure product and a significant cost saving over less
> > rigorous approaches.
>
> Yes, I fully concur.  I found it encouraging that Yoran is raising 
> software
> security as a major issue also.  I do wish that he'd used other examples 
> than
> only buffer overruns, but it's a good step in the right direction.  I'm
> particularly big on improving the design phase, long before any line of 
> code
> (overrun or not) has been written.
>
> Does that help clarify my point?
>
> Cheers,
>
> Ken van Wyk
> -- 
> KRvW Associates, LLC
> http://www.KRvW.com
> 


Reply via email to