RE: Re: Application Insecurity --- Who is at Fault?

["Edward Rohwer" <ed () rohwer com>]

 I my humble opinion, the bridge example gets to the heart of the
matter. In the bridge example the bridge would have been design and
engineered by licensed professionals, while we in the software business
sometime call ourselves "engineers" but fall far short of the real,
professional, licensed engineers other professions depend upon.  Until we as
a profession are willing to put up with that sort of rigorous examination
and certification process, we will always fall short in many area's and of
many expectations.

Ed. Rohwer CISSP

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Friday, April 08, 2005 10:54 PM
To: Margus Freudenthal
Cc: Secure Coding Mailing List
Subject: [SC-L] Re: Application Insecurity --- Who is at Fault?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Margus Freudenthal wrote:

> > Consider the bridge example brought up earlier. If your bridge builder
> > finished the job but said: "ohh, the bridge isn't secure though. If
> > someone tries to push it at a certain angle, it will fall".
>
> Ultimately it is a matter of economics. Sometimes releasing something
earlier 
> is worth more than the cost of later patches. And managers/customers are
aware 
> of it.

Unlike in the world of commercial software, I'm pretty sure you don't 
see a whole lot of construction contracts which absolve the architect of 
liability for design flaws.  I think that is at the root of our 
problems.  We know how to write secure software; there's simply precious 
little economic incentive to do so.

- --
David Talkington
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCV24Q5FKhdwBLj4sRAoC9AKCb6j5dKOLgFwDMuVa8giSbMvmW2gCfdwn7
QcS6J7NVPFsISzhLoBgQWHM=
=0ZSy
-----END PGP SIGNATURE-----