Then perhaps your company should hire a security expert to design the
security. Defects in portability or performance are low-risk and easily
detected, and the cost scales with the time until a patch is deployed.
Security vulnerabilities are much more tricky and expensive to detect and
the damage may happen all at once, making them very high-risk.
I understand several of the OpenSSL development team are available for
consulting.
Well, it's not like we can do whatever we would like to. Our company
is small, and only got the small part in that project. As I said in
the first message, it's the CEO of that partner company which
got the biggest part of the project who brought in his
security expert. They are the overall lead, and we have to work
with them.
Even his engineers do not agree with his security consultant.
What I'm doing here (working on the cost calculator, working on
the analysis model, etc) is not for our company, it's for this
partnering company, actually for the group leader in that
company to present it to their management.
We don't like to associate our name with lousy projects, that's
why I'm doing what I'm doing now, and this is extra work
for nothing. If we don't care, we would shut the hell up,
get the thing done (whatever it is), take the money, and
move on.
rgds
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar ? get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
