RE: Re: Code Red: What security specialist don't mention

["Marcus J. Ranum" <mjr () nfr com>]

"Scott, Richard" <Richard.Scott () BestBuy com>writes:
> "Any piece of code, that is used for industrial purposes, that takes as
> input some value, that is unbound, it must limit the input or make safe
> calculation of addition storage medium to safely handle the data"
>
> Now, the software and hardware industry would have as a rule something to
> measure up against, it's very clear and must be implemented.  [...]

One interesting change I'm seeing in the industry is a side-effect of
UCITA. First off, if you don't know what UCITA is, go learn; it has huge
implications if you are a buyer or user of software. See:
http://www.ucitaonline.com
to get one view of the situation. See recent articles in various trade
rags for other views. It's a complex topic and you should make your
own judgements.

My judgement, and apparently many other software buyers' judgement,
is that UCITA is a preemptive strike by software makers against software
liability and safety regulation applied to software. One of the things I am
seeing a lot of recently is contracts: lots of contracts. 4 years ago when
a customer wanted to buy a bunch of software, they'd send a purchase
order. Today they send a contract over, which lays out the terms under
which they are willing to buy and use a piece of software. This gets
interesting and makes lawyers no end of happy. The lawyers like UCITA
too, by the way, because as professional clarifiers of things, they make
money hand over fist when things are unclear.

So my prediction is it'll get worse before it gets better. Lots worse.

mjr.
---
Marcus J. Ranum     Chief Technology Officer, NFR Security Inc.
Work:  http://www.nfr.com
Play: http://www.ranum.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards