<<< Date Index >>>     <<< Thread Index >>>

Re: On product vulnerability history and vulnerability complexity



Forrest J. Cavalier III wrote:
Just a half-baked idea. Does selling software quality assurance make sense?

If you will allow me to answer only that part of your email, I honestly don't know - but:

Standardization and regulation is where we are all heading in many different directions whether we like it or not. Today people believe such testing can not reliably be done. I disagree.

Point is, that whether I am right or wrong we may see a demand by companies to do just that so that they can meet said standardization or regulation.

So, I am not sure if selling it makes sense, but where there is a demand there is a market and I believe today people look for the HOW. Code analysis and auditing are important steps, as well as secure coding and QA security. That said that process has proven itself to, in the macro level, be a complete failure.

I tend to agree with Dave Aitel that Fuzzers may be part of the solution to that. I would add that they are, once they reach a level of maturity and efficiency that merits such treatment. Such certification is coming and such technology exists / can be found in a few places. That said (full disclosure), on these last two sentences you should take what I say with a grain of salt as I currently work for a fuzzing vendor.

        Gadi.