funsec mailing list archives
Curious questions...
From: Kowsik Guruswamy <kowsik () gmail com>
Date: Mon, 24 Oct 2005 11:27:15 -0700
This is funsec after all and OT seems to be the order of the day. We have a lot of great people on this list to discuss/critique vulnerabilities and mis-implementations that ultimately cause vulnerabilities. Questions are as follows: - How many of you have worked in product development where there was at least 1 million lines of code (a number pulled out of thin air) to which you had to contribute? It doesn't matter if it was open source or commercial. - During that process how many 'vulnerabilities' (i.e. bugs) did you end up introducing? This could be based on automated analysis, peer-reviews, audits, full-disclosures, etc - What tools did you use to help you find these vulnerabilities? The reason for my questions is simple: There seems to be a huge [technology/awareness] gap between the people that build software/hardware/systems and the people that find holes in those systems. Both sets of people are fairly competent in what they do. I am curious if the people that are extremely competent in finding holes have ever been in product development which has a whole different set of challenges (features, time-to-market, performance, scalability, cpu-memory trade-offs, portability, modularity, etc) and typically (not always true) security is an after thought. What I'm really leading to is, how can we, as people involved in the security industry, address and fix this gap? Full-disclosure is fine and dandy, but it doesn't get to the root cause early enough. Thanks, K. ps: I used to be at Juniper and I was the chief architect for their IDP product line. In that role, I've seen on both sides of the coin (more product development than active vulnerability research though). _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Drsolly (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Drsolly (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Gary Warner (Oct 24)
- Re: Curious questions... Gary Warner (Oct 24)
- Re: Curious questions... Nick FitzGerald (Oct 24)
- Re: Curious questions... Tom Van Vleck (Oct 24)
- Re: Curious questions... Nick FitzGerald (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Florian Weimer (Oct 24)
(Thread continues...)
- Re: Curious questions... Drsolly (Oct 24)