mailing list archives
From: Scott Blake <blake () HOMEPORT ORG>
Date: Tue, 28 Nov 2000 18:00:59 -0600
people's motivations, I feel it is time once again to point
out that none of
this would be relevant if application developers would do
their own security
reviews prior to releasing their software, rather than
While security reviews certainly help (immensely in some cases), they
are far from foolproof. My company conducts regular reviews of our our
software and we miss things. Sometimes, other people find them before
we do. I believe it is inherent in commercial software production, at
least. I suspect some OpenBSD people might even agree that security
reviews and security concious developers help but are no guarantee that
nothing will go wrong. Indeed, only government reviews seem to make any
claims about assured security in systems.
As we have all seen, the economics here are very straightforward. Until
consumers demand secure products (with their dollars, not their voices)
we will have insecure software. In the meantime, I think there is a
balance to be struck between giving vendors time to fix their problems
and the public's need to know. When vendors take too long, pressure can
be brought short of dramatically widening the dangers to their users.
My own rule of thumb is to give vendors time as long as they appear to
be laboring in good faith. I'm open to the argument that that's naive,
but you'd be hard-pressed to show that it makes the public -less- secure
than immediate public disclosure.
Face it folks, the vendors aren't to blame, the market economy is.
blake () razor bindview com
Security Program Manager