Re: On product vulnerability history and vulnerability complexity
Forrest J. Cavalier III wrote:
Just a half-baked idea. Does selling software quality assurance make
sense?
If you will allow me to answer only that part of your email, I honestly
don't know - but:
Standardization and regulation is where we are all heading in many
different directions whether we like it or not. Today people believe
such testing can not reliably be done. I disagree.
Point is, that whether I am right or wrong we may see a demand by
companies to do just that so that they can meet said standardization or
regulation.
So, I am not sure if selling it makes sense, but where there is a demand
there is a market and I believe today people look for the HOW. Code
analysis and auditing are important steps, as well as secure coding and
QA security. That said that process has proven itself to, in the macro
level, be a complete failure.
I tend to agree with Dave Aitel that Fuzzers may be part of the solution
to that. I would add that they are, once they reach a level of maturity
and efficiency that merits such treatment.
Such certification is coming and such technology exists / can be found
in a few places.
That said (full disclosure), on these last two sentences you should take
what I say with a grain of salt as I currently work for a fuzzing vendor.
Gadi.