Reflecting on Linux Security in 2003
LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."
Quote from the article: SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free. --> Just imagine the amount of e-mail worms there could be out there if people would have to pay for outlook updates.
I absolutely agree with every point in your bulleted list. But the short answer is yes, I do believe that bugs make it into code because of emphasis on cranking out software quickly. It would seem illogical to do so, true, but the sad truth is that it happens and I have watched in horror as it has happned at the place at which I work. When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic, and developers many times get no say in when their project ships.
Jack Ganssle gave a very nice keynote speech at the recent Boston Embedded Systems Conference that touched on those very same problems. We all know better, but it still happens. And no, not just at M$. However, when you can crank out a new OS every couple of years and the sheep still buy it despite knowing that the OS is unstable, then why not?
Some of the security holes that we have seen come from M$ products (and other products as well!) show the lack of real testing... problems that never should have been seen by the end user.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."