funsec mailing list archives
Re: Curious questions...
From: Kowsik Guruswamy <kowsik () gmail com>
Date: Mon, 24 Oct 2005 14:26:58 -0700
Replies inline... On 10/24/05, Drsolly <drsollyp () drsolly com> wrote:
On Mon, 24 Oct 2005, Kowsik Guruswamy wrote:This is funsec after all and OT seems to be the order of the day. We have a lot of great people on this list to discuss/critique vulnerabilities and mis-implementations that ultimately cause vulnerabilities. Questions are as follows: - How many of you have worked in product development where there was at least 1 million lines of code (a number pulled out of thin air) to which you had to contribute? It doesn't matter if it was open source or commercial.I don't think we did that many lines of code.- During that process how many 'vulnerabilities' (i.e. bugs) did you end up introducing? This could be based on automated analysis, peer-reviews, audits, full-disclosures, etclots- What tools did you use to help you find these vulnerabilities?1) we had a QA department, whose job was to find bugs, as well as test that the product found the viruses and didn't give false alarms. 2) But the ultimate testing was done by users, who have a far more diverse set of systems than any QA department could have.
So was this during the beta cycle or after the product was released? If it was the latter, then that means you had to generate minor-releases and customers had to install patches and so on. Now if you were a vendor with over million lines of code, 5 different major releases, 20 different customer special releases, 13 different os/cpu platforms, it certainly takes a while to respond to bugs^H^H^H^Hvulnerabilities found in the field. I have nothing for or against vendors, but it seemed that in all the full-disclosures and advisories the complexities/practicalities of fixing a problem, post deployment, were silently ignored. We tend to quickly point the fact that so-and-so had an open vulnerability for over 4 months and they haven't done anything to fix it. Just to point this thread in the right direction, what do you think we can do to bring security [awareness/knowledge/know-how] into the development process? People are writing code all over like there's no tomorrow and we, as a software industry, haven't learned much since the morris worm. Well, we might have learned a thing or two, but it's definitely not made it back to the average developer out there. K. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Drsolly (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Drsolly (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Gary Warner (Oct 24)
- Re: Curious questions... Gary Warner (Oct 24)
- Re: Curious questions... Nick FitzGerald (Oct 24)
- Re: Curious questions... Tom Van Vleck (Oct 24)
- Re: Curious questions... Nick FitzGerald (Oct 24)
- Re: Curious questions... Kowsik Guruswamy (Oct 24)
- Re: Curious questions... Florian Weimer (Oct 24)
- Re: Curious questions... Aviram Jenik (Oct 25)
- <Possible follow-ups>
- RE: Curious questions... Blanchard_Michael (Oct 24)
(Thread continues...)
- Re: Curious questions... Drsolly (Oct 24)