> Question is: would it make sense to lobby for disclosure requirements of all > writes software does, to whatever, and reasons for them, as conditions to > make > it fit for sale? Perhaps likewise to be a (or the?) defense against claims > the > software is doing things to others' machines without authoriation? > > Certainly such lists would require more of everyone installing software, at > least in principle (I imagine permission interpreters would alleviate most > work), but they would also make it possible for the first time to give trust > in > an informed way. >
People see Microsoft in the news all the time for having vulnerabilities and it isn't stopping them from making money. Regarding websites, myspace and other large online companies have also been bitten and aren't being negative affected. I think creation of federal guidelines requiring security in the development cycle would be a much more practical way to force people to implement appropriate baseline security measures. To some extent policies such as SOX are starting this process regarding certain types of data or environments. In the majority of causes without the threat of preventing business, you're not going to get people to do anything unless they absolutely need to. Regards, - Robert http://www.cgisecurity.com/ http://www.webappsec.org/ http://www.qasec.com/ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
