Re: Curious questions...

[Kowsik Guruswamy <kowsik () gmail com>]

Replies inline...

On 10/24/05, Drsolly <drsollyp () drsolly com> wrote:
> On Mon, 24 Oct 2005, Kowsik Guruswamy wrote:
>
> > This is funsec after all and OT seems to be the order of the day. We
> > have a lot of great people on this list to discuss/critique
> > vulnerabilities and mis-implementations that ultimately cause
> > vulnerabilities.
> >
> > Questions are as follows:
> > - How many of you have worked in product development where there was
> > at least 1 million lines of code (a number pulled out of thin air) to
> > which you had to contribute? It doesn't matter if it was open source
> > or commercial.
>
> I don't think we did that many lines of code.
>
> > - During that process how many 'vulnerabilities' (i.e. bugs) did you
> > end up introducing? This could be based on automated analysis,
> > peer-reviews, audits, full-disclosures, etc
>
> lots
>
> > - What tools did you use to help you find these vulnerabilities?
>
> 1) we had a QA department, whose job was to find bugs, as well as test
> that the product found the viruses and didn't give false alarms.
>
> 2) But the ultimate testing was done by users, who have a far more diverse
> set of systems than any QA department could have.

So was this during the beta cycle or after the product was released?
If it was the latter, then that means you had to generate
minor-releases and customers had to install patches and so on. Now if
you were a vendor with over million lines of code, 5 different major
releases, 20 different customer special releases, 13 different os/cpu
platforms, it certainly takes a while to respond to
bugs^H^H^H^Hvulnerabilities found in the field. I have nothing for or
against vendors, but it seemed that in all the full-disclosures and
advisories the complexities/practicalities of fixing a problem, post
deployment, were silently ignored. We tend to quickly point the fact
that so-and-so had an open vulnerability for over 4 months and they
haven't done anything to fix it.

Just to point this thread in the right direction, what do you think we
can do to bring security [awareness/knowledge/know-how] into the
development process? People are writing code all over like there's no
tomorrow and we, as a software industry, haven't learned much since
the morris worm. Well, we might have learned a thing or two, but it's
definitely not made it back to the average developer out there.

K.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.