Secure Coding mailing list archives
Re: Why Software Will Continue to Be Vulnerable
From: "Jeff Williams" <jeff.williams () aspectsecurity com>
Date: Sun, 01 May 2005 17:56:59 +0100
What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software? Fire safety is physical, not tremendously complicated, and we have tons of actuarial data. Software security, on the other hand, is extremely difficult for anyone to measure -- it takes a lot of effort, even with the most advanced tools and knowledge. So there's no way for anyone to tell which software is secure. Many vendors make dramatically inflated claims about their product's security features and rarely get called on them. For example, there are dozens of vendors claiming that their technology solves the OWASP Top Ten -- which is ridiculous. Anyway, it's not surprising to me that consumers aren't seeking out security. Or that vendors aren't providing it for that matter. In my opinion, the market is broken because of asymmetric information, and it will never work until we find ways to make security more visible to everyone. I did a talk on this at the NSA High Confidence Software and Solutions conference a few weeks back. The slides are here http://www.aspectsecurity.com/documents/Aspect_HCSS_Brief.ppt. --Jeff Jeff Williams Aspect Security, Inc. www.aspectsecurity.com
Current thread:
- Why Software Will Continue to Be Vulnerable Crispin Cowan (Apr 30)
- RE: Why Software Will Continue to Be Vulnerable Arian J. Evans (May 01)
- Re: Why Software Will Continue to Be Vulnerable Greenarrow 1 (May 01)
- Re: Why Software Will Continue to Be Vulnerable Crispin Cowan (May 01)
- Re: Why Software Will Continue to Be Vulnerable Dave Aronson (May 01)
- Re: Why Software Will Continue to Be Vulnerable Jeff Williams (May 01)
- Re: Why Software Will Continue to Be Vulnerable Michael Silk (May 02)
- Re: Why Software Will Continue to Be Vulnerable Kenneth R. van Wyk (May 02)
- Re: Why Software Will Continue to Be Vulnerable ljknews (May 02)
- Re: Why Software Will Continue to Be Vulnerable Crispin Cowan (May 03)
- Re: Why Software Will Continue to Be Vulnerable Michael Silk (May 03)
- Re: Why Software Will Continue to Be Vulnerable Crispin Cowan (May 01)
- <Possible follow-ups>
- re: Why Software Will Continue to Be Vulnerable Bill Cheswick (May 02)
- Re: re: Why Software Will Continue to Be Vulnerable Gunnar Peterson (May 02)
- Re: re: Why Software Will Continue to Be Vulnerable Blue Boar (May 03)