Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security

from [Krainium] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security to other industries
Date: Tue, 26 Dec 2006 17:28:10 -0600 
On Tuesday 26 December 2006 14:02, coderman wrote:
 
<snip>


the vast majority of software developed does not pursue even trivial
security assurances.
look at the month of kernel bugs to see how common and trivial
validations are ignored in critical kernel interfaces to file systems
and device drivers, thus subverting the integrity of the entire
operating system and applications.


Agreed.  It's interesting to note that many of these issues could be prevented 
simply through security-minded coding practices.
 

it is indeed folly to expect perfection in a human process of software
engineering, but it is nothing less than incompetence and dishonesty
to suggest that the existing state of affairs is somehow unavoidable.


Programmers I know usually like to take a sense of accomplishment and  
ownership in the software they write.  But when management enforces 
unrealistic and draconian project milestones, quality suffers.  This is a 
simple case of "follow the money."


we don't need perfection, but we do need to accept responsibility for
the truly crappy state of IT software and systems in place today.


We are accepting responsibility for the vulnerability-riddled IT  
infrastructure we all depend on daily.  The mushrooming demand for IT 
security professionals is a direct result of businesses and users taking the 
responsibility.  

This in itself is very interesting - we have an entire market segment where 
the buyer/user shoulders an expense (and often a liability) caused from the 
producer's defective  products.  How long would a pharmaceutical company 
exist if it's drugs were known to be poisonous?  Would the patient buy and 
take the antidote so they could continue using the drug, much like we now buy 
and use all kinds of antivirus, anti-trojan, anti-spyware, etc? Restaurants 
have expired because of word-of-mouth rumors of poor tasting food.  Yet 
mega-billion dollar software companies flourish and grow, pumping big money 
into glitzy advertising campaigns, hawking products infested with weakness.

Attachment: pgp4kQ887ZzC7.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] emergent security properties, Pavel Kankovsky
Next by Date:  Re: [Full-disclosure] emergent security properties, coderman
Previous by Thread:  Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security to other industries, coderman
Next by Thread:  Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security to other industries, Michael Zimmermann
Indexes:  [Date] [Thread] [Top] [All Lists]