| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 04 Apr 2006 02:34:00 +0200 From: Gadi Evron <ge@...uxbox.org> To: "Forrest J. Cavalier III" <mibsoft@...software.com> Cc: crispin@...ell.com, bugtraq@...urityfocus.com Subject: Re: On product vulnerability history and vulnerability complexity Forrest J. Cavalier III wrote: > Just a half-baked idea. Does selling software quality assurance make > sense? If you will allow me to answer only that part of your email, I honestly don't know - but: Standardization and regulation is where we are all heading in many different directions whether we like it or not. Today people believe such testing can not reliably be done. I disagree. Point is, that whether I am right or wrong we may see a demand by companies to do just that so that they can meet said standardization or regulation. So, I am not sure if selling it makes sense, but where there is a demand there is a market and I believe today people look for the HOW. Code analysis and auditing are important steps, as well as secure coding and QA security. That said that process has proven itself to, in the macro level, be a complete failure. I tend to agree with Dave Aitel that Fuzzers may be part of the solution to that. I would add that they are, once they reach a level of maturity and efficiency that merits such treatment. Such certification is coming and such technology exists / can be found in a few places. That said (full disclosure), on these last two sentences you should take what I say with a grain of salt as I currently work for a fuzzing vendor. Gadi.
Powered by blists - more mailing lists