[antimedia] antimedia: I don't post about my profession, because....

Email subscription to blog articles antimedia at lists.powerblogs.com
Sun Dec 3 15:52:32 EST 2006 

Posted by antimedia:
I don't post about my profession, because....
http://www.antimedia.us/posts/1165179146.shtml


   ....that's not the purpose of this blog, but this is something I think
   my readers [1]should know about. The dirty little secret of the
   software business is that security is usually an afterthought.
   Software vendors are much more concerned with pushing product out the
   door than they are about fixing problems with their software. It's
   accepted industry practice to push out problem-filled software and
   then fix it with updates later.
   Now some large purchasers of software are taking the problem into
   their own hands.

     Seems like blackbox testing tools (fuzzers) gain more ground, but
     not in the way I would expect.
     I expected software/networking vendors to be buying commercial
     fuzzers to check their products for security holes (or using open
     source fuzzing tools as part of the development cycle).
     Surprisingly, most companies I know that have implemented fuzzers
     are not the ones writing code, but those who rely on other peopleâs
     products - telcos, cell phone providers, financial institutions,
     and equipment suppliers.
     Apparently, some of these companies check 3rd party products for
     security holes before they install them in their network.
     While this âcertificationâ attitude is expected from financial
     institutions, itâs pleasantly surprising to see it from equipment
     suppliers, for example. One large telco went as far as informing
     several networking equipment vendors that any new version of their
     networking products will undergo extensive security tests before it
     is purchased. Since the tests are done with a commercial fuzzing
     product, the networking vendor has a chance to buy a similar
     product and do its testing already in the development lab - saving
     the shame of having the customer find its security holes for him.

   If this trend continues, software vendors will be forced to address
   security issues earlier in the development cycle. That's a good thing.
   It's much easier to fix security problems early in the software
   development cycle than it is to retrofit them to a product already out
   in customer's hands.
   The end result will be much better quality software and much less
   likelihood of your computer being compromised. That's good for all of
   us.

References

   1. http://blogs.securiteam.com/index.php/archives/752

More information about the antimedia mailing list