Valdis Kletnieks said: >It's not as simple as "throw it out and start again" - what's feasible for a >student's semester project or a small company's small software package isn't as >feasible when it's one of the largest sets of intertwined code ever written....
And that's the main point - the enemy of security isn't any given company/package/platform. It's complexity. Complexity guarantees that there will be flaws, that might be exploited, in any product. The only products with no reported vulnerabilities are small, low use products, and the main reason there aren't any reports is no-one's bothered to look. It's a principle that no matter how much effort is put into attempting to achieve perfection, not just "six sigmas", it can't be achieved. Without perfection no-one, not just Business, can risk a monoculture ( just ask the U.S. Wheat farming industry ) 'Cos this isn't medicine, where "acceptable losses" can be estimated - who could guess the impact from a code flaw in the root servers? Or base code for HTTP handling? Or the privilege handling code in Windows? I believe Microsoft are making genuine efforts to improve their code. But even with billions in the bank to spend on it, they can't make it perfect. And in order to trust that their code can run EVERYTHING, that's what it'd have to be. The corollary, of course, is that I.T will become more expensive because people will have to bite the bullet and get people with more than one skillset, or more people. Of course, they could outsource...... ;-) Regards, tom. ---------------------------------------------------------------------------------------- Tom Cleary - Security Architect "In IT, acceptable solutions depend upon humans - Computers don't negotiate." ---------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html