> On 6/26/07 4:25 PM, "Wall, Kevin" <[EMAIL PROTECTED]> wrote: > > I mean, was the fix really rocket science that it had to take THAT > LONG??? IMHO, no excuse for taking that long.
Some major vendor organizations, most notably Oracle and Microsoft, have frequently stated that they can't always fix even simple vulnerabilities instantly, because they have batteries of tests and platforms to verify that the fix won't damage anything else. I can see why this would be the case, although I rarely hear vendors talk about what they're doing to make their response time faster. Open source vendors likely have similar challenges, though maybe not on such a large scale. I'd be interested to hear from the SDLC/CMM consultant types who work with vendors on process, about *why* this is the case. And in terms of future challenges: how can the lifecycle process be changed so that developers can quickly and correctly fix show-stopping issues (including/especially vulnerabilities)? It would seem to me that one way that vendors can compete, but don't, is in how quickly and smoothly they fix issues in existing functionality, which might be a large part of the operational expenses for an IT consumer. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
