On Tue, 6 Mar 2007, Kenneth Van Wyk wrote:
> While a simple strcpy-->strncpy (or similar) src edit takes just
> moments, and shouldn't impact the functionality and reliability of any
> software, patches are rarely that simple.
Agreed, but this needs to change. The threat environment has provabl
Kenneth Van Wyk wrote:
> So, I applaud the public disclosure model from the standpoint of
> consumer advocacy. But, I'm convinced that we need to find a process
> that better balances the needs of the consumer against the secure
> software engineering needs. Some patches can't reasonably be produ
For a long time I thought that software product liability would
eventually be forced onto developers in response to their long-term
failure to take responsibility for their shoddy code. I was mistaken.
The pool of producers (i.e., the software industry) is probably too
small for such blunt econom
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote:
I think some vendors have come around to the economics argument. In
every case, those vendors with extreme reputation exposure have
attempted to move past penetrate and patch. Microsoft, for one, is
trying hard, but (to use my broken leg analog
Right.
And while you're calculating costs, don't forget to factor in the costs of all
of the opiates that the McGraw automaton is now faced with eating as he wiles
away his "patching time" on the orange chair. The break was severe indeed.
I think some vendors have come around to the economic
