Re: Towards a responsible vulnerability process
From: Ryan Russell (ryan@SECURITYFOCUS.COM)Date: 11/05/01
- Previous message: Geo.: "Re: Towards a responsible vulnerability process"
- In reply to: David LeBlanc: "Re: Towards a responsible vulnerability process"
- Next in thread: NetArchitect Old Mail: "Re: Towards a responsible vulnerability process"
- Next in thread: Joe Melhado: "Re: Towards a responsible vulnerability process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <Pine.GSO.4.30.0111041928571.14583-100000@mail> Date: Sun, 4 Nov 2001 19:54:36 -0700 From: Ryan Russell <ryan@SECURITYFOCUS.COM> Subject: Re: Towards a responsible vulnerability process To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
On Sun, 4 Nov 2001, David LeBlanc wrote:
> Indeed. But the best example we have of code that is nearly bug-free is the
> software that runs the space shuttle. If you'd like to apply those same
> development methods to a commercial operating system, expect to shell out on
> the order of a million dollars a copy - probably more, as the number of
> customers would tend to drop rapidly.
That might fly if there weren't a free operating system that does
considerably better with security, though it does so by, in part, having
fewer features. It's possible that there's a relationship between more
features and more holes... Anyway, the main reason is security is the
focus (no pun intended.) Security IS their feature. Microsoft does a
pretty good job of working towards a goal when they decide to. I wish
that people outside of your group at MS were as interested.
> You go write a piece of bug-free software that's on the order of 10,000 LOC
> and I'll listen to you on this. You go ship a piece of commercial software
> that's bug-free and you'll have some credibility. To the best of my
> knowledge, there has never been a significantly large commercial application
> that is completely bug-free.
The people (that I'm aware of) who have come closest to that goal are
Donald Knuth and Daniel J. Bernstein. Perhaps coincidentally, they are
both CS professors. However, their software isn't commercial. Is the
moral that the pressures of trying to turn a profit are what prevent good
programming? Or is it that it takes a lot of concern about security (or
correctness) and a willingness to have long development times? Or are
those the same thing?
Ryan
- Previous message: Geo.: "Re: Towards a responsible vulnerability process"
- In reply to: David LeBlanc: "Re: Towards a responsible vulnerability process"
- Next in thread: NetArchitect Old Mail: "Re: Towards a responsible vulnerability process"
- Next in thread: Joe Melhado: "Re: Towards a responsible vulnerability process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
