I feel government should not become involved with the internet and/or its security. For one if people look at the governments security most departments have a grade of C or below. Would you want someone like that telling you how to secure programming?
Regards, George Greenarrow1 InNetInvestigations-Forensics ----- Original Message ----- From: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, April 20, 2004 8:07 AM Subject: Re: [SC-L] Yoran on the state of software security > Greetings all, > > I was asked to clarify what I posted yesterday re Amit Yoran's recent > public > statements on the topic of software security. > > On Tuesday 20 April 2004 03:27, an SC-L reader wrote: > > Ken, could you clarify a little please? > > Happy to, see below. > > > I detect a slighly snide tone that suggests that you disagree with the > > assertion that "it is inexplicable to produce software that suffers from > > buffer overruns". Is that really your position? If so, why? > > Heavens no! Sorry for the ambiguity. Indeed, the issue of buffer > overruns is > probably the principal one that convinced me to co-author Secure Coding > with > Mark Graff. I'd like to see them become the polio of the tech world. > > What I was trying to make light about in my note is whether Yoran got that > notion from my statement in my TechTV interview -- that we have to focus > more > of our attention at improving software security. That was where the "me > neither..." came from, because I have no delusions that he would have > caught > my segment on the show -- or that it would have influenced him in any way > even if he had. > > > Of course there are lots of other security issues (not least "social > > engineering" ones) but in what way is security /harmed/ by disciplined > > programming in appropriate languages supported by appropriate tools? > > Our > > experience is that such rigorous software engineering approaches result > > in > > more robust and secure product and a significant cost saving over less > > rigorous approaches. > > Yes, I fully concur. I found it encouraging that Yoran is raising > software > security as a major issue also. I do wish that he'd used other examples > than > only buffer overruns, but it's a good step in the right direction. I'm > particularly big on improving the design phase, long before any line of > code > (overrun or not) has been written. > > Does that help clarify my point? > > Cheers, > > Ken van Wyk > -- > KRvW Associates, LLC > http://www.KRvW.com >