lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri May  5 03:17:43 2006
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: How many vendors knowingly ship GA product with
	security vulnerabilities? 

On Thu, 04 May 2006 18:15:18 PDT, Bill Stout said:
> That's an excellent and well thought out reply.  Sounds like you have
> some experience in delivering software.

Not commercial software.  However, commercial software ship dates are
infinitely flexible compared to "30,000 students are showing up Tuesday
and the class registration and housing checking systems *have* to be ready" ;)

> It would seem that if a few days buffer were built into the system,
> specifically to check in security fixes prior to QA; that would be a
> huge 'CYA' benefit to prevent those 'CLM' moves and to protect the
> consumers of the software.

Trust me - the original plan usually *starts* with *more* than "a few days
buffer".

Recommended reading: "The Mythical Man Month" by Fred Brooks - what he learned
as the project manager for IBM's OS/360 operating system development, which
still ranks as one of the biggest software development projects in history.
One of the famous quotes from it: "Adding programmers to late software projects
makes them later"....

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060504/4fcf1c81/attachment.bin

Powered by blists - more mailing lists