[ Apologies to moderator for the resend. I've not PGP/MIME signed this one, as I guess that's the reason for the last copy disappearing. ] [Ed. Apologies back at ya, as I'm on the road this week and trying my best to deal with a brain-damaged web emailer. KRvW]
On Fri, Nov 12, 2004 at 08:24:59AM -0500, Jeff Williams wrote: > In my opinion, the way out of this trap is to get more information to > consumers about the security in software. Information like how many lines > of code, what languages, what libraries, process used, security testing > done, mechanisms included, and other information can and should be > disclosed. These metrics are all well and good, but what makes you think consumers will ever be able to care about such things? Consumers have so far only cared about security when it directly affects them. One could argue that's how it should be; users should never have to worry about the software they are running because "bad" software should never get past the door of the developers. Providing consumers with assurances about the security of their systems strikes me as a good idea, and this is how it's worked for government contracts. However, they need to be in terms which the average consumer will a) understand and b) care about. What would be nice to see would be some form of competition based on security, and not just the latest wiz-bangs in Grokulator 4.3. How exactly you get consumers to care about these things before it immediately affects them is the question we should be looking at. Regards, -- Nicholas John Murison ~~~~~~~~~~~~~~~~~~~~~ http://www.urgusabic.net
