Sorry, by flaws, I should have said, *"has not prevent bad
code/ineffective patches from being pushed out"
On Sun, Apr 21, 2013 at 12:41 AM, Benji <me () b3nji com> wrote:
(For
example,
http://webcache.googleusercontent.com/search?q=cache:2cXGaaHnqyMJ:www.computerworld.com/s/article/9235954/Researchers_find_critical_vulnerabilities_in_Java_7_Update_11+&cd=8&hl=en&ct=clnk&gl=uk
)
On Sun, Apr 21, 2013 at 12:37 AM, Benji <me () b3nji com> wrote:
Because security engineers are different to a QA department you
originally suggested, and you seem to be very ideologist about the
scenarios. As we've seen, Oracle's Java product has security engineers
and this has not prevented flaws.
On Sun, Apr 21, 2013 at 12:34 AM, Bryan <bryan () unhwildhats com> wrote:
"Your 5-chained-0day-to-code-exec, in my opinion, does not count as
negligence and comes from the developer effectively not being a
security engineer"
Solution: Hire security engineers.
"In my opinion we are not at the stage in industry where we can
consider/expect any developer to think through each implication of
each feature they implement"
Solution: Hire security engineers to think through each implication.
Why are we disagreeing?
