|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did
From: Dave Aitel (dave
immunitysec.com)
Date: Wed Feb 04 2004 - 09:42:29 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Anton A. Chuvakin wrote:
>>This is crap. If you spend your whole life looking for security bugs in
>>your product, then you find them. Continuously. You'll end up finding at
>>
>>
>It well might be crap (I personally don't know), but I think his main
>point was:
>
>"Yes, it's faster and cheaper to design security into software than bolt
>it on afterward. But it's even fasterer and cheaperer to build crappy
>software to get the project rolled out immediately, please your boss and
>help the company make its quarterly number. Guess which path most
>organizations will always take."
>
>rather than whatever "6.5" times numbers to compare before and after QA.
>
>Best,
>
>
Yeah, I'm fairly sure his point is unassailable, since there's no way
most information security writers would ever say anything even remotely
attackable, for fear of being attacked. According to one study
(conducted by my turtle "Turtle-I"), it's five times easier to just say
what other people are saying than do actual thinking in your own head.
That's why I'm positing that it's actually a lot cheaper to just roll
software out, handle the bad PR from occasional fish being caught, and
maybe try to lobby congress to make vulnerability disclosure illegal. :>
-dave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]