Re: [SC-L] Sad state of affairs
On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller wrote: > I was just listening to a podcast interviewing a security executive from a > prominent vendor. The response to vulnerabilities was to raise the > cost/complexity of exploiting bugs rather than actually employing secure > coding practices. What saddened me most was that the approach was > apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it "catch me if you can" security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Sad state of affairs
Well, one of the objectives of employing secure coding practices is just that - to raise the cost and complexity of exploiting bugs. Cheers, Prasad > On Sep 20, 2013, at 7:47 PM, "Bobby G. Miller" wrote: > > I was just listening to a podcast interviewing a security executive from a > prominent vendor. The response to vulnerabilities was to raise the > cost/complexity of exploiting bugs rather than actually employing secure > coding practices. What saddened me most was that the approach was apparently > effective enough. > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Sad state of affairs
I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___