Re: Towards a responsible vulnerability process

From: Ryan Russell (ryan@SECURITYFOCUS.COM)
Date: 11/05/01


Message-ID:  <Pine.GSO.4.30.0111041928571.14583-100000@mail>
Date:         Sun, 4 Nov 2001 19:54:36 -0700
From: Ryan Russell <ryan@SECURITYFOCUS.COM>
Subject:      Re: Towards a responsible vulnerability process
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

On Sun, 4 Nov 2001, David LeBlanc wrote:

> Indeed. But the best example we have of code that is nearly bug-free is the
> software that runs the space shuttle. If you'd like to apply those same
> development methods to a commercial operating system, expect to shell out on
> the order of a million dollars a copy - probably more, as the number of
> customers would tend to drop rapidly.

That might fly if there weren't a free operating system that does
considerably better with security, though it does so by, in part, having
fewer features. It's possible that there's a relationship between more
features and more holes... Anyway, the main reason is security is the
focus (no pun intended.) Security IS their feature. Microsoft does a
pretty good job of working towards a goal when they decide to. I wish
that people outside of your group at MS were as interested.

> You go write a piece of bug-free software that's on the order of 10,000 LOC
> and I'll listen to you on this. You go ship a piece of commercial software
> that's bug-free and you'll have some credibility. To the best of my
> knowledge, there has never been a significantly large commercial application
> that is completely bug-free.

The people (that I'm aware of) who have come closest to that goal are
Donald Knuth and Daniel J. Bernstein. Perhaps coincidentally, they are
both CS professors. However, their software isn't commercial. Is the
moral that the pressures of trying to turn a profit are what prevent good
programming? Or is it that it takes a lot of concern about security (or
correctness) and a willingness to have long development times? Or are
those the same thing?

                                                Ryan



Relevant Pages

  • Re: Microsoft security Essentials
    ... they are trapped by the philosophy that marketing ... The Windows operating system has all kinds of features ... These features are enabled by default, ... or no security because it is realized that the end users don't want to ...
    (alt.computer.security)
  • Re: Recommended patch cluster + Solaris releases - any difference?
    ... The "Solaris Patch Management: Recommended Strategy" whitepaper says ... that some patches add new features as well as fixing bugs and security ... operating system will add even more features on top of this? ...
    (comp.sys.sun.admin)
  • Re: Can not send email
    ... Vista takes a new approach to security, ... the operating system and its features. ... Cox-related application is not compatible with Windows Vista: ...
    (microsoft.public.windows.vista.mail)
  • [Full-Disclosure] w32.frethem.k@mm and good reading
    ... Script kiddies deface websites. ... only obfuscating your own perception of security. ... >> vulnerabilities in a particular operating system or server software ... >> Imagine a custom operating system used by only a few servers, ...
    (Full-Disclosure)
  • [Full-Disclosure] w32.frethem.k@mm and good reading
    ... Script kiddies deface websites. ... only obfuscating your own perception of security. ... >> vulnerabilities in a particular operating system or server software ... >> Imagine a custom operating system used by only a few servers, ...
    (Full-Disclosure)