[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
- From: "Andy Steingruebl" <steingra@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
- Date: Thu, 11 Jan 2007 08:27:22 -0800
On 1/11/07, Pete Herzog <lists@xxxxxxxxxx> wrote:
> "Disclosure" and "Non Disclosure" is a red herring. Better education
> is a better solution.
Better education? How about just the truth for everyone- not just the
developers. I think that's the direction full disclosure should be going in.
. . .
I'd like to but I can assure you that it's not going to
happen and that's not because the general population doesn't need it. It's
a marketing decision.
Well, people didn't used to think they wanted safe cars, steam
engines, airplanes, etc. Eventually we decided to regulate them, and
now we have both safety standards and independent testing
organizations to measure against them. We also have liability for
faulty implementations, etc.
One difference between Ralph Nader's "Unsafe at Any Speed" and the
computer security full-disclosure movement is that in the case of auto
safety the threat is not from an active attacker. So disclosing the
vulnerability in a car safety system informs the public but doesn't
increase risk. This isn't necessarily true in computer security
disclosure.
--
Andrew Steingruebl
steingra@xxxxxxxxx
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|