Another big frustration: No-one seems to be making any real headway into the
problem of actually measuring loss attributable to doing nothing - or, in other
words, losses cradle to grave from operating insufficiently secure systems.
People try to measure "ROI" from security, which is a ridiculou
> Ever since I read an article about the challenges of remote laser surgery
> being done by doctors at the Naval Hospital in Bethesda, MD, via satellite
> link on wounded soldiers in Iraq, I've been warning for years about the need
> to apply software assurance principles to the development and
Agree with you - there's nothing new in the article. I gave a talk a
couple years ago at a conference on biomedical engineering, and there was
one person in the room (out of a few hundred) who had heard of Therac-25.
(Which I assume is what you were referring to with 1985.)
If the article were in
Ever since I read an article about the challenges of remote laser surgery being
done by doctors at the Naval Hospital in Bethesda, MD, via satellite link on
wounded soldiers in Iraq, I've been warning for years about the need to apply
software assurance principles to the development and testing
On Mon, 30 Jun 2014, Gary McGraw wrote:
: Chandu Ketkar and I wrote an article about medical device security based
: on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor.
: In the article, we discuss six categories of security defects that
: Cigital discovers again and again