[fuzzing] Hey all

nnp version5 at gmail.com
Mon Mar 17 10:01:31 CDT 2008 

On Mon, Mar 17, 2008 at 2:41 PM, Andre Gironda <andreg at gmail.com> wrote:

> On Mon, Mar 17, 2008 at 7:24 AM, nnp <version5 at gmail.com> wrote:
> > As for the 'should we pigeon hole ourselves more' quesiton. No, I don't
> > think we should. I think security professionals can learn a lot from
> other
> > disciplines especially when it comes to the development of automated
> testing
> > tools. A lot of work has been done in other areas that is applicable to
> the
> > security industry (formal verification, AI etc) and having a knowledge
> in
> > these areas can only be beneficial.
>
> Well I certainly agree that formal verification is great for security
> testing, especially modeling (over automated theorem-proving), but
> this only seeks to add more difficult-to-understand technology to an
> already boiled pot.  While someone needs to focus on improving the
> technology from an academic standpoint (and of course I'd like to see
> improvements in open-source and commercial tools), what about solving
> the problem of getting software vendors to integrate and run these
> tools?  How do we convince software developers (or the people that run
> their projects) that they need to utilize vulnerability research
> tools/techniques/services?  Microsoft and Symantec are clearly the
> exception.  Let's use Adobe as an example if you need one.


As I don't work for any of these companies I've no idea what the politics
etc is regarding getting serious effort put into either recruiting top class
security researchers or spending money on integrating vulnerability research
tools. I guess the only really obvious motivation is when the costs of
having vulnerabilities in your products outweighs the cost of searching and
fixing them. Do companies maintain risk assessments on the costs of
vulnerability disclosures etc? Does anyone have any metrics on the benefits
of auditing for your own vulnerabilities? I know MS say their new SDL is
beneficial and has definitely increased the number of potential security
vulnerabilities they are catching pre/post release but its hard for a third
party to guage how much it is costing them to implement it.


>
> > -nnp (In the hope of moving back to a slightly more civil debate)
>
> Sorry about that, my bad.  Too much coffee or something ;>


Same here. I get a bit a bit twitchy in the mornings ;) No hard feelings.


>
> Cheers,
> Andre
>



-- 
http://www.smashthestack.org
http://www.unprotectedhex.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20080317/7cf261be/attachment.htm

More information about the fuzzing mailing list