On 7/20/06, Andrew van der Stock <[EMAIL PROTECTED]> wrote:
> Actually, it is a myth.
> For every non-trivial system, there are business pressures on
> resourcing, deadlines, and acceptable quality (pick any two). Once a
> business has set their taste for risk, it makes no sense to spend say
> $10m on security controls on a product and delay it for six months
> which may only bring in $2m in revenue in total, or none at all if
> the company runs out of money to bring it to market.
> At the moment, most companies neither accept or assign the risk,
> enumerate the risk correctly, nor take adequate steps to eliminate as
> much risk as possible. We need to improve all three aspects. Even in
> a perfect world, there will still be bugs and security defects. Let's
> make sure that the remaining ones are really hard to exploit, and
> when the exploit happens, not much loss occurs.


but none of this changes the fact that it IS possible to write
completely secure code.

> thanks,
> Andrew

-- mic
Secure Coding mailing list (SC-L)
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php

Reply via email to