|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Dailydave] Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did
From: Chris Eagle (cseagle
redshift.com)
Date: Wed Feb 04 2004 - 10:34:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dave wrote:
>
> This is crap. If you spend your whole life looking for security bugs in
> your product, then you find them. Continuously. You'll end up finding at
> least 100 times more than will ever come out in public. So you really
> save a lot of money by doing everything in the QA phase, where it belongs.
>
The quote is a classic software engineering statistic designed to motivate
people to do proper requirements analysis and design. They are not talking
about cost in incident response terms or damage caused by exploited
vulnerabilities, they are talking strictly about the cost of modifying the
software after it has been released vice doing it right in the first place.
IE is a good example. It is so poorly designed and so interwoven with the
O/S, that small changes today have a huge impact and require significant
resources to make sure they didn't break a ton of other stuff when they made
the fix. If it was well designed in the first place the theory goes, they
would have fewer bugs today (less cost) and the ones they do have today
would be easy to fix (less cost). But of course I am not a big fan of
software engineers because none of the ones I know can code worth a damn.
Chris
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]