On 7/20/06, Andrew van der Stock <[EMAIL PROTECTED]> wrote: > Actually, it is a myth. > > For every non-trivial system, there are business pressures on > resourcing, deadlines, and acceptable quality (pick any two). Once a > business has set their taste for risk, it makes no sense to spend say > $10m on security controls on a product and delay it for six months > which may only bring in $2m in revenue in total, or none at all if > the company runs out of money to bring it to market. > > At the moment, most companies neither accept or assign the risk, > enumerate the risk correctly, nor take adequate steps to eliminate as > much risk as possible. We need to improve all three aspects. Even in > a perfect world, there will still be bugs and security defects. Let's > make sure that the remaining ones are really hard to exploit, and > when the exploit happens, not much loss occurs.
yeah. but none of this changes the fact that it IS possible to write completely secure code. > thanks, > Andrew -- mic _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
