Greetings, Saw an announcement today on DesktopLinux.com (see http://www.desktoplinux.com/news/NS6923692411.html for the full scoop) about an open source tool to analyze software failures on (IA-32) Linux systems. Although not specifically security-related, the vendor claims that the tool will help improve software reliability.
I believe that we don't do enough to analyze and learn from software failures. Look at how other engineering disciplines analyze their failures and then learn from them -- bridge collapses, airplane crashes, etc., all come to mind. Even the vulnerability advisories that we get from vendors, CERT, etc., don't typically focus on the root cause (no pun intended), but the solution set. That's fine for the people that run computers, but not for the people that write the software. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
