<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft and Security



Alun Jones wrote:
... okay, so you're arguing that even more QA and more testing should be
<snip>
releasing a smaller fix, with minimal impact, as soon as possible.
<snip>
improving the process, perhaps you should try and express those suggestions
in a coherent manner that could be used
...

Aloha, Alun.

My suggestion is a simple one that all software developers can manage to incorporate into their busy schedules and tight budgets:

Hire an expert to conduct a thorough forensic review of the software before it is released, and publish the forensic analysis report.

Any vulnerabilities, flaws, areas that need additional work, portions that were built by subcontractors of questionable skill or loyalties, portions that were offshored, features that the programmers themselves warn are not yet done by placing comments in the source code, third party libraries or code or algorithms that may create intellectual property liability for the end user, and all other issues of computer forensics and computer law should be spelled out as clearly as possible by any company that develops and distributes software to the public.

Anyone who does not publish a forensic analysis report along with their software should publish the source code, whether or not they release legal rights to that source code under an open source or free software license.

The computing public should not have to reverse engineer software products in order to figure out what they do to the computers on which they are installed and used.

Even the Department of Justice knew better than to allow the FBI to build and deploy law enforcement computer technology without hiring an expert to write a forensic report on the product, and the FBI doesn't try to sell "Carnivore" to anyone.

http://www.epic.org/privacy/carnivore/

Final Independent Technical Review of the Carnivore System
http://www.epic.org/privacy/carnivore/carniv_final.pdf

We should require software vendors to take this stuff seriously.

Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx