On Tue, 6 Mar 2007, Kenneth Van Wyk wrote: > While a simple strcpy-->strncpy (or similar) src edit takes just > moments, and shouldn't impact the functionality and reliability of any > software, patches are rarely that simple.
Agreed, but this needs to change. The threat environment has provably worsened, so that it can be incredibly damaging to an organization if they rely on software that takes months to fix. From my outsider (non-developer's) point of view, the development lifecycle needs to be able to handle emergency situations. The so-called "pimps" are unintentionally highlighting this problem; what happens when 0-days become more the norm and the time-to-patch hasn't changed? > consumer advocacy. But, I'm convinced that we need to find a process > that better balances the needs of the consumer against the secure > software engineering needs. This assumes that there is widespread interest in helping the consumer, which some researchers simply do not have, and certainly not the genuinely malicious parties. Not that I've given up on "responsible disclosure" but there will be a community of people who won't follow any recommendations that are put out, and hobbyists/independent researchers are also left out. In some ways, I view the current state of affairs as a symptom - when software gets strong enough that someone has to spend a lot of time/resources to find a vulnerability and code an exploit, people won't be so willing to just toss it out to the public willy-nilly. It's just too easy to "grep and gripe" for vulns in typical software. Last year, a 14 year old researcher gave us vuln DB's a headache by finding about 500 vulnerabilities in the course of a few months, using blatantly obvious 10-minute tests on demo versions of software that went for $100 to $500 a pop. That was one of the biggest unreported news stories of the year, as far as I'm concerned. Such blatantly insecure software should not be that widespread. He's not disclosing to the public anymore, just to his own private group, and I don't think I prefer it that way. Interestingly, he was only interested in the "challenge," not the fame. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________