Fwd: Re[2]: [Dailydave] Security people are leaches. [sic]

[Thierry Zoller <Thierry () Zoller lu>]

As Dave seems to have his ongoing NZ filtering going on
again on the DailyDave list, I post it here..

Anybody wants create a list mirroring DD but letting replies through
even if those are against your views?

===8<=================== Original Nachrichtentext ===================
Hi Aaron,

> The 'shades of grey' only exist to security people.
Define  "security  poeple"  ?  A  complete  branch  of  corporate risk
management is formed of "security poeple". So does this make it "less
of a problem" ?

> To no one else is it important
> that a bug disclose information, allow invalid root access, or escalate privileges.
You  obviously  have  not  worked with or within a company that has to
balance  all  sorts  of  risks.  If  a  kernel bug is slipped upstream
because  it  was  not  properly  marked  as a security issue, it means
potential  loss.  So  since  when is loosing money "only important" to
"security poeple". Security = Risk of loss, and Sir this is important
for everybody in the company.

I  am  astounded  how  narrow minded some developers have become. Some
apparently  never  see the complete picture of how a business operates
how  potential  risks/losses  are  mitigated  and how this impacts the
developers.  SDL  training  seems  to  need  an  intruduction  on  the
fundementals  of  security,  operational and others. A birds-eye view,
maybe  if the interconnections are understood some will understand why
it is important.

It's not a technical issue - at all.

PS.  Dave  -  I am not writing comments for you to sent to dev/null, I
consider my time more usefull.

-- 
http://blog.zoller.lu
Thierry Zoller

===8<============== Ende des Original Nachrichtentextes =============
> --- Begin Message ---
>
>
> From: Thierry Zoller <Thierry () Zoller lu>
>
> Date: Fri, 21 Aug 2009 12:20:49 +0200
>
> Hi Aaron,
>
> > The 'shades of grey' only exist to security people.
> Define  "security  poeple"  ?  A  complete  branch  of  corporate risk
> management is formed of "security poeple". So does this make it "less
> of a problem" ?
>
> > To no one else is it important
> > that a bug disclose information, allow invalid root access, or escalate privileges.
> You  obviously  have  not  worked with or within a company that has to
> balance  all  sorts  of  risks.  If  a  kernel bug is slipped upstream
> because  it  was  not  properly  marked  as a security issue, it means
> potential  loss.  So  since  when is loosing money "only important" to
> "security poeple". Security = Risk of loss, and Sir this is important
> for everybody in the company.
>
> I  am  astounded  how  narrow minded some developers have become. Some
> apparently  never  see the complete picture of how a business operates
> how  potential  risks/losses  are  mitigated  and how this impacts the
> developers.  SDL  training  seems  to  need  an  intruduction  on  the
> fundementals  of  security,  operational and others. A birds-eye view,
> maybe  if the interconnections are understood some will understand why
> it is important.
>
> It's not a technical issue - at all.
>
> PS.  Dave  -  I am not writing comments for you to sent to dev/null, I
> consider my time more usefull.
>
> -- 
> http://blog.zoller.lu
> Thierry Zoller
>
> --- End Message ---
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/