Re: On product vulnerability history and vulnerability complexity

To: "Forrest J. Cavalier III" <mibsoft@xxxxxxxxxxxxxxx>
Subject: Re: On product vulnerability history and vulnerability complexity
From: Gadi Evron <ge@xxxxxxxxxxxx>
Date: Tue, 04 Apr 2006 02:34:00 +0200
Cc: crispin@xxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <44315932.1010001@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200603240801.k2O81Wnx003790@xxxxxxxxxxxxxxx> <442F060E.4030909@xxxxxxxxxx> <44315932.1010001@xxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Forrest J. Cavalier III wrote:

Just a half-baked idea. Does selling software quality assurance makesense?

If you will allow me to answer only that part of your email, I honestlydon't know - but:

Standardization and regulation is where we are all heading in manydifferent directions whether we like it or not. Today people believesuch testing can not reliably be done. I disagree.

Point is, that whether I am right or wrong we may see a demand bycompanies to do just that so that they can meet said standardization orregulation.

So, I am not sure if selling it makes sense, but where there is a demandthere is a market and I believe today people look for the HOW. Codeanalysis and auditing are important steps, as well as secure coding andQA security. That said that process has proven itself to, in the macrolevel, be a complete failure.

I tend to agree with Dave Aitel that Fuzzers may be part of the solutionto that. I would add that they are, once they reach a level of maturityand efficiency that merits such treatment.Such certification is coming and such technology exists / can be foundin a few places.That said (full disclosure), on these last two sentences you should takewhat I say with a grain of salt as I currently work for a fuzzing vendor.


        Gadi.

References:
- On product vulnerability history and vulnerability complexity
  - From: Steven M. Christey
- Re: On product vulnerability history and vulnerability complexity
  - From: Crispin Cowan
- Re: On product vulnerability history and vulnerability complexity
  - From: Forrest J. Cavalier III

Prev by Date: Re: recursive DNS servers DDoS as a growing DDoS problem
Next by Date: Re: recursive DNS servers DDoS as a growing DDoS problem
Previous by thread: Re: On product vulnerability history and vulnerability complexity
Next by thread: [eVuln] DSPoll Multiple SQL Injection Vulnerabilities
Index(es):
- Date
- Thread