Bugtraq mailing list archives
Re: Microsoft and Security
From: Jason Coombs <jasonc () science org>
Date: Mon, 05 Jul 2004 14:33:45 -1000
Alun Jones wrote:
... okay, so you're arguing that even more QA and more testing should be <snip> releasing a smaller fix, with minimal impact, as soon as possible. <snip> improving the process, perhaps you should try and express those suggestions in a coherent manner that could be used
... Aloha, Alun.My suggestion is a simple one that all software developers can manage to incorporate into their busy schedules and tight budgets:
Hire an expert to conduct a thorough forensic review of the software before it is released, and publish the forensic analysis report.
Any vulnerabilities, flaws, areas that need additional work, portions that were built by subcontractors of questionable skill or loyalties, portions that were offshored, features that the programmers themselves warn are not yet done by placing comments in the source code, third party libraries or code or algorithms that may create intellectual property liability for the end user, and all other issues of computer forensics and computer law should be spelled out as clearly as possible by any company that develops and distributes software to the public.
Anyone who does not publish a forensic analysis report along with their software should publish the source code, whether or not they release legal rights to that source code under an open source or free software license.
The computing public should not have to reverse engineer software products in order to figure out what they do to the computers on which they are installed and used.
Even the Department of Justice knew better than to allow the FBI to build and deploy law enforcement computer technology without hiring an expert to write a forensic report on the product, and the FBI doesn't try to sell "Carnivore" to anyone.
http://www.epic.org/privacy/carnivore/ Final Independent Technical Review of the Carnivore System http://www.epic.org/privacy/carnivore/carniv_final.pdf We should require software vendors to take this stuff seriously. Sincerely, Jason Coombs jasonc () science org
Current thread:
- RE: Microsoft and Security Alun Jones (Jul 05)
- RE: Microsoft and Security Radoslav Dejanovic (Jul 05)
- Re: Microsoft and Security Justin Wheeler (Jul 05)
- RE: Microsoft and Security Alun Jones (Jul 06)
- RE: Microsoft and Security David F. Skoll (Jul 06)
- Re: Microsoft and Security Adam Shostack (Jul 07)
- Re: Microsoft and Security Valdis . Kletnieks (Jul 09)
- Re: Microsoft and Security Charles Otstot (Jul 16)
- Re: Microsoft and Security Lucas Holt (Jul 18)
- RE: Microsoft and Security Alun Jones (Jul 06)