[SC-L] Economics of Software Vulnerabilities

2007-03-27 Thread McGovern, James F (HTSC, IT)
May I share another perspective. 1. The debate between open source vs. closed source in terms of security doesn't matter. Does anyone has any metrics that quantify the economics of writing better corporate software not for public consumption? 2. If you can't make the economic case, then you

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-23 Thread security curmudgeon
On Wed, 21 Mar 2007, Steven M. Christey wrote: : With rare exceptions, in general, I do not find that the : open source community is that much more security consciousness : than those producing closed source. Certainly this seems true : if measured in terms of vulnerabilities and we measure

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-23 Thread David A. Wheeler
On Wed, 21 Mar 2007, Steven M. Christey wrote: : With rare exceptions, in general, I do not find that the : open source community is that much more security consciousness : than those producing closed source. Certainly this seems true : if measured in terms of vulnerabilities and we

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-23 Thread Gunnar Peterson
Just because people can look at a project in detail, doesn't mean they will. More to the point, just because people can, doesn't mean code auditing gurus will look at it. And sometimes, when they do look they get booted out of the project http://www.heise-security.co.uk/news/82500 -gp

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread McGovern, James F (HTSC, IT)
own exposure... -Original Message- From: Wall, Kevin [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 20, 2007 9:16 PM To: McGovern, James F (HTSC, IT) Cc: sc-l@securecoding.org Subject: RE: [SC-L] Economics of Software Vulnerabilities James McGovern apparently wrote... The uprising from

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread Arian J. Evans
Spot on thread, Ed: On 3/20/07, Ed Reed [EMAIL PROTECTED] wrote: Not all of these are consumer uprisings - some are, some aren't - but I think they're all examples of the kinds of economic adjustments that occur in mature markets. - Unsafe at any speed (the triumph of consumer safety over

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread Steven M. Christey
On Wed, 21 Mar 2007, mudge wrote: Sorry, but I couldn't help but be reminded of an old L0pht topic that we brought up in January of 1999. Having just re-read it I found it still relatively poignant: Cyberspace Underwriters Laboratories[1]. I was thinking about this, too, I should have

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread Steven M. Christey
I was originally going to say this off-list, but it's not that big a deal. Arian J. Evans said: I think you are on to something here in how to think about this subject. Perhaps I should float my little paper out there and we could shape up something worth while describing how the industry is

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread mudge
On Mar 21, 2007, at 3:57 PM, Arian J. Evans wrote: Spot on thread, Ed: On 3/20/07, Ed Reed [EMAIL PROTECTED] wrote: Not all of these are consumer uprisings - some are, some aren't - but I think they're all examples of the kinds of economic adjustments that occur in mature markets.

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-20 Thread ljknews
At 8:55 AM -0400 3/20/07, Michael S Hines wrote: I'm not sure what your sources are but from what I'm hearing and reading the problem is that there are many missing drivers for what have become standard peripherals that people are used to - and some of the vendors are reluctant to develop new

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-20 Thread Wall, Kevin
James McGovern apparently wrote... The uprising from customers may already be starting. It is called open source. The real question is what is the duty of others on this forum to make sure that newly created software doesn't suffer from the same problems as the commercial closed source

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-19 Thread Gary McGraw
[mailto:[EMAIL PROTECTED] Sent: Mon Mar 19 16:00:48 2007 To: Gary McGraw Cc: Ed Reed; sc-l@securecoding.org Subject:Re: [SC-L] Economics of Software Vulnerabilities Gary McGraw wrote: I'm not sure vista is bombing because of good quality. That certainly would be ironic

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-19 Thread Crispin Cowan
Gary McGraw wrote: I'm not sure vista is bombing because of good quality. That certainly would be ironic. Word on the way down in the guts street is that vista is too many things cobbled together into one big kinda functioning mess. I.e. it is mis-featured, and lacks on some

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-19 Thread Ed Reed
Crispin Cowan wrote: Crispin, now believes that users are fundamentally what holds back security I was once berated on stage by Jamie Lewis for sounding like I was placing the blame for poor security on customers themselves. I have moved on, and believe, instead, that it is the economic

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-19 Thread Crispin Cowan
Ed Reed wrote: Crispin Cowan wrote: Crispin, now believes that users are fundamentally what holds back security I was once berated on stage by Jamie Lewis for sounding like I was placing the blame for poor security on customers themselves. Fight back harder. Jamie is wrong.

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-19 Thread Steven M. Christey
On Mon, 19 Mar 2007, Crispin Cowan wrote: Since many users are economically motivated, this may explain why users don't care much about security :) But... but... but... I understand the sentiment, but there's something missing in it. Namely, that the costs related to security are not really

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-13 Thread Gary McGraw
PROTECTED]; Ed Reed; sc-l@securecoding.org Subject:Re: [SC-L] Economics of Software Vulnerabilities On Mon, 12 Mar 2007, Crispin Cowan wrote: Ed Reed wrote: For a long time I thought that software product liability would eventually be forced onto developers in response to their long

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-13 Thread Gary McGraw
: [SC-L] Economics of Software Vulnerabilities Ed Reed wrote: For a long time I thought that software product liability would eventually be forced onto developers in response to their long-term failure to take responsibility for their shoddy code. I was mistaken. The pool of producers (i.e

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-13 Thread Gadi Evron
On Tue, 13 Mar 2007, Gary McGraw wrote: In my opinion, though fuzz testing is certainly a useful technique (we've used it in hardware verification for years), any certification based solely on fuzz testing for security would be ludicrous. Fuzz testing is not a silver bullet. Fuzzing is

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-12 Thread Crispin Cowan
Ed Reed wrote: For a long time I thought that software product liability would eventually be forced onto developers in response to their long-term failure to take responsibility for their shoddy code. I was mistaken. The pool of producers (i.e., the software industry) is probably too small

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-12 Thread Gadi Evron
On Mon, 12 Mar 2007, Crispin Cowan wrote: Ed Reed wrote: For a long time I thought that software product liability would eventually be forced onto developers in response to their long-term failure to take responsibility for their shoddy code. I was mistaken. The pool of producers (i.e.,

[SC-L] Economics of Software Vulnerabilities

2007-03-06 Thread Ed Reed
For a long time I thought that software product liability would eventually be forced onto developers in response to their long-term failure to take responsibility for their shoddy code. I was mistaken. The pool of producers (i.e., the software industry) is probably too small for such blunt