Curious questions...

[Kowsik Guruswamy <kowsik () gmail com>]

This is funsec after all and OT seems to be the order of the day. We
have a lot of great people on this list to discuss/critique
vulnerabilities and mis-implementations that ultimately cause
vulnerabilities.

Questions are as follows:
- How many of you have worked in product development where there was
at least 1 million lines of code (a number pulled out of thin air) to
which you had to contribute? It doesn't matter if it was open source
or commercial.
- During that process how many 'vulnerabilities' (i.e. bugs) did you
end up introducing? This could be based on automated analysis,
peer-reviews, audits, full-disclosures, etc
- What tools did you use to help you find these vulnerabilities?

The reason for my questions is simple: There seems to be a huge
[technology/awareness] gap between the people that build
software/hardware/systems and the people that find holes in those
systems. Both sets of people are fairly competent in what they do. I
am curious if the people that are extremely competent in finding holes
have ever been in product development which has a whole different set
of challenges (features, time-to-market, performance, scalability,
cpu-memory trade-offs, portability, modularity, etc) and typically
(not always true) security is an after thought.

What I'm really leading to is, how can we, as people involved in the
security industry, address and fix this gap? Full-disclosure is fine
and dandy, but it doesn't get to the root cause early enough.

Thanks,

K.

ps: I used to be at Juniper and I was the chief architect for their
IDP product line. In that role, I've seen on both sides of the coin
(more product development than active vulnerability research though).

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.