Home page logo
/

securecoding logo Secure Coding mailing list archives

Re: Sad state of affairs
From: Rafal Los <rafal () ishackingyou com>
Date: 20 Sep 2013 20:34:49 -0700


Wait a minute, this relationship is a bit confused I think. Prasad said it well- often the result of a maturing 
software security program is that the simple and easy bugs disappear and the ones that are left are difficult to find 
and complex in exploitation.

This is known as eliminating the "low hanging fruit". While this doesn't eliminate ALL bugs, I ultimately believe 
that's a fools' errand anyway. Making the software as free of bugs as possible necessarily makes the ones left in the 
system difficult to find and exploit. Then you work in good anomaly detection mechanisms and have a great case for 
*reasonably* secure software.

Of course, this is all predicated on you knowing and being able to define the word reasonable.

Just my opinion.

/// Rafal Los

----- Reply message -----
From: "Jeffrey Walton" <noloader () gmail com>
To: "Bobby G. Miller" <b.g.miller () gmail com>
Cc: "Secure Coding List" <sc-l () securecoding org>
Subject: [SC-L] Sad state of affairs
Date: Fri, Sep 20, 2013 10:01 PM


On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller <b.g.miller () gmail com> wrote:
I was just listening to a podcast interviewing a security executive from a
prominent vendor.  The response to vulnerabilities was to raise the
cost/complexity of exploiting bugs rather than actually employing secure
coding practices.  What saddened me most was that the approach was
apparently effective enough.
+1. Software security is in a sad state. What I've observed: let the
developers deliver something, then have it pen tested, and finally fix
what the pen testers find. I call it "catch me if you can" security.

I think the underlying problem is the risk analysis equations. Its
still cost effective to do little or nothing. Those risk analysis
equations need to be unbalanced.

And I don't believe this is the solution:
http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems.
Too many carrots and too few sticks means it becomes more profitable
to continue business as usual.

Jeff
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault