Secure Coding Home | O'Reilly.com | Books | Conferences | O'Reilly Network
 

  About the Book
  Table of Contents
  Sample Chapter
  Advance Praise
  Reviews
  Press Release
  Order
  FAQ
  Errata

  About the Authors
  Bios of Mark and Ken
  Articles
  Op/Ed
  Thanks

  Book Companion
  Additional Case Studies
  Checklists
  Software Tools
  Code Snippets
  Bibliography and Links
  Contributions
  Analysis of Topical
    Vulnerabilities

  SC-L Mailing List

  Contact Us
  Email Addresses
  URLs
  Phone Numbers
  Contact O'Reilly

  Events Calendar
  Conferences

  Media Kit/Info
  Press Releases
  Link to Articles
  Link to Op/Eds


This site graciously hosted
by our friends at
Opinions/Editorials

12 August 2003

The article:  Vendors Offer Plan for Disclosing Software Security Holes - Computerworld

The final version of the process:  http://www.oisafety.org

To the editor:

Please include us among the "Security researchers [who] say their concerns were ignored" by the grandly-named "Organization for Internet Safety (OIS)".

In our open letter of June 10th, we said that the process:
  1. Pays insufficient attention to the "engineering complexity" of any particular vulnerability.
  2. Does not recognize the critical need for "life cycle" considerations in the design, creation, and maintenance of secure code.
  3. Does not include sufficient enticements to motivate widespread participation.
  4. Is too complicated (and too detailed) to be practical.
Having looked over the final version, we conclude that not only that our concerns (see http://www.securecoding.org/authors/oped/june102003.php for the full text) were ignored, but that some were actually exacerbated. The document now runs to 36 pages, for example. Like the process itself, it is so long and so complicated that one must immediately consign it to the "boat anchor" category. (Go ahead, try to read it through! It's at http://www.oisafety.org/reference/process.pdf.)

We had high hopes when we first heard about the project. As security practitioners with decades of experience--and more than a few years in the center ring of the "vulnerability circus"--we were ready for a workable proposal in a collaborative spirit. We suspect now that the point of the exercise was to produce a process to deaden dissent and provide a preemptive defense against liability lawsuits. In any event, the effort is dead on arrival; and that's a low-down dirty shame.

Mark G. Graff
Kenneth R. van Wyk
Authors, Secure Coding
http://www.securecoding.org

Copyright (C) 2003, Mark G. Graff and Kenneth R. van Wyk. Permission granted to reproduce and distribute in entirety with credit to authors.

Site Contents Copyright (C) 2002, 2003 Mark G. Graff and Kenneth R. van Wyk. All Rights Reserved.
webmaster@securecoding.org