Secure Coding mailing list archives
Re: The problem is that user management doesn't demand security
From: Stephen Galliver <periodicals () galliver cx>
Date: Wed, 10 Dec 2003 00:24:03 +0000
Although I write software for a living, I consume much more than I write -- much of it being COTS. I expect the same could be said for most on this list. --On Tuesday, December 09, 2003 11:52 AM -0500, George Capehart wrote: If software customers/end-users held software vendors accountable for the security of the software they buy, the software would be more secure than it is now. I admit this next question may point to a lack of imagination on my part, but as a customer/end-user, *how* do you hold a vendor accountable for security? Buying from the competition is the most obvious idea, but with a market segment [1] in a race to the bottom (the cheapest set of the most features), there may not be a secure alternative. Once you have chosen the best product you can, the vendor has your money. How then to apply pressure to squash bugs and fill holes? The current model uses a mix of extortion (fix this hole or I release it to the world) and loss of brand value or reputation (fix this bug or everyone will know you don't support your customers). Without passing judgment on the current model, is there another way? I wonder if these issues point to the ultimate advantage of the open source paradigm: that software is released when it is ready, not rushed out the door to corner market share. [2] I don't know the answers; I just ask the questions... All the best, Stephen Galliver [1] Say, for example, personal finance software, or any other "non-commoditized" segment where there are few alternatives. [2] Of course, open source has its own set of problems, but they're not relevant to our topic (I think).
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes Jerry Connolly (Dec 03)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)
- Re: The problem is that user management doesn't demand security Julie Ryan (Dec 11)