Re: Is this list still active?

From: Jeroen van Drie (jvdev_at_3va.net)
Date: 11/24/04

  • Next message: Michael Silk: "RE: .Net and security" 
    To: secprog@securityfocus.com
Date: Wed, 24 Nov 2004 17:59:35 +0100

    > I completely dismiss the argument that people have in general given up.
    > I talk to too many people interested in learning how to avoid security
    > problems, and know otherwise. People who give up should focus on some
    > other way to make a living.

    I'm certainly trying to create spin when writing "How about the notion that
    we've basically given up on security." As coders we haven't. But in society
    there are signs of acceptance that viruses, worms, cracking, phising and ID
    theft are unavoidable side effects of the information age. Perhaps as a
    society we are starting to give up.

    We all know how to make secure code because we've got organisations like
    OpenBSD and Wind River showing everyone how it's done. It's a painstaking,
    monastic review process that takes top people. I know that some organisations
    have equivalent inquisitional groups for when they can't afford to have their
    code blow up in their clients face but in everyday code development there's
    no such rigour.

    Yeah, I like to think of code review in these terms; inquisition, monastic.
    Perhaps these guys should wear robes :) Our code serves important and
    sometimes critical social function, we don't just owe it to our shareholders
    to produce good code, we contribute to the infrastructure of society.

  • Next message: Michael Silk: "RE: .Net and security"