Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thinking of Security Vulnerabilities As Defects

Posted by timothy on from the doesn't-everyone-already-think-that dept.

SecureThroughObscure writes "ZDNet Zero-Day blogger Nate McFeters has asked the question, 'Should vulnerabilities be treated as defects?' McFeters claims that if vulnerabilities were treated as product defects, companies would have an effective way of forcing developers and business units to focus on security issue. McFeters suggests providing bonuses for good developers, and taking away from bonuses for those that can't keep up. It's an interesting approach that if used, might force companies to take a stronger stance on security related issues."

2 of 158 comments (clear)

  1. Clueless writer dorks should know when to shut up. by asackett · · Score: 0, Troll

    The problem of security holes in commercial software products is not one of developer apathy, but instead is a consequence of resource constraint. Which is just a nice way of saying that during the push to achieve an unreasonably accelerated product launch date with a short staff, small things get overlooked by developers, and the big things get overlooked by management.

    "Hey, boss, we've got a potential remote exploit here. We can't ship this garbage." "We have to ship. We'll catch it on the first patch cycle." "Uh, boss, we've never before caught anything on the first patch cycle. Why should we expect this one be any different?" "Good question. Here's another: Who's going to sign your paycheck next week if we don't ship this product on time?"

    Clueless writer dorks should know when to shut up.

    --

    Warning: This signature may offend some viewers.

  2. Re:Of course vulnerabilities are defects by mrsbrisby · · Score: 0, Troll

    E) All software becomes GPL; You can fix defects yourself, or hire anyone to fix them.

    Entertaining liability is only material because companies hold a monopoly on the "right" to fix defects- whatever that means, whether it be mere "annoyances" or outright failures of engineering.

    This essentially makes it a PR problem, where with the low cost and even lower expectations of a modern software world, you could sell a life support machine that killed its patients 100% of the time.

    Remove the monopoly, and you'll see higher quality software for cheaper- with the best software people working harder for more money, and the rent-a-coders becoming completely obsolete.