[17845] in bugtraq
Re: Submission
daemon@ATHENA.MIT.EDU (Scott Blake)
Wed Nov 29 14:54:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <IAEKLMACCCHBGAKEJCAKMEMDCAAA.blake@homeport.org>
Date: Tue, 28 Nov 2000 18:00:59 -0600
Reply-To: Scott Blake <blake@HOMEPORT.ORG>
From: Scott Blake <blake@HOMEPORT.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200011271856.MAA01981@rgfsparc.cr.usgs.gov>
> people's motivations, I feel it is time once again to point
> out that none of
> this would be relevant if application developers would do
> their own security
> reviews prior to releasing their software, rather than
While security reviews certainly help (immensely in some cases), they
are far from foolproof. My company conducts regular reviews of our our
software and we miss things. Sometimes, other people find them before
we do. I believe it is inherent in commercial software production, at
least. I suspect some OpenBSD people might even agree that security
reviews and security concious developers help but are no guarantee that
nothing will go wrong. Indeed, only government reviews seem to make any
claims about assured security in systems.
As we have all seen, the economics here are very straightforward. Until
consumers demand secure products (with their dollars, not their voices)
we will have insecure software. In the meantime, I think there is a
balance to be struck between giving vendors time to fix their problems
and the public's need to know. When vendors take too long, pressure can
be brought short of dramatically widening the dangers to their users.
My own rule of thumb is to give vendors time as long as they appear to
be laboring in good faith. I'm open to the argument that that's naive,
but you'd be hard-pressed to show that it makes the public -less- secure
than immediate public disclosure.
Face it folks, the vendors aren't to blame, the market economy is.
-----
Scott Blake
blake@razor.bindview.com
Security Program Manager
BindView Corporation
