ljknews wrote:
At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote:I believe that we don't do enough to analyze and learn from software failures.
I believe the industry as a whole does plenty to analyze software failures, particularly considering how little is done to avoid those errors. Added analysis in the face of near-zero remediation would be useless.
How many times do we see "buffer overflow" as the cause, yet even on this mailing list people still defend the use of languages that not only permit but actually promote such errors.
Well, I did say "...analyze AND learn...". :-)
Seriously, though, there's plenty of data on the symptoms of failures -- advisories, securitytracker.com, etc., but not enough on the causes in my opinion.
And, to exacerbate the problems, in every software security tutorial that I do, I ask the students how many of them read information from places like bugtraq, full-disclosure, phrack, and such. Among the software developers, _maybe_ 5% of them say that they do. Admittedly, the percentage is better among the IT Security folks that I talk to, but they're not generally the ones that are writing the software. Of course, that's not a scientific survey or anything, but I sure get the feeling that very few software dev folks spend any/much time analyzing failures.
Cheers,
Ken
