mailing list archives
Re: Sad state of affairs
From: Jeffrey Walton <noloader () gmail com>
Date: Fri, 20 Sep 2013 21:28:38 -0400
On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller <b.g.miller () gmail com> wrote:
I was just listening to a podcast interviewing a security executive from a
prominent vendor. The response to vulnerabilities was to raise the
cost/complexity of exploiting bugs rather than actually employing secure
coding practices. What saddened me most was that the approach was
apparently effective enough.
+1. Software security is in a sad state. What I've observed: let the
developers deliver something, then have it pen tested, and finally fix
what the pen testers find. I call it "catch me if you can" security.
I think the underlying problem is the risk analysis equations. Its
still cost effective to do little or nothing. Those risk analysis
equations need to be unbalanced.
And I don't believe this is the solution:
Too many carrots and too few sticks means it becomes more profitable
to continue business as usual.
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates