No subject

 --1 August 2001
CNN reports a growing public cry for manufacturers of software to
take more responsibility for correcting security flaws in products
they sell. Shipping insecure software and waiting for it to hurt
customers is not working. The video news segment also reports that
the cyber insurance industry claims it has sold cyber insurance to 5%
of American businesses.
http://www.cnn.com/video/tech/2001/08/01/dg.micro.security.cnn.med.html
[Editor's (Schultz) Note: How many news items of this nature
are we going to have to read before we wake up to the fact that
software vendors for the most part deliver poor quality software
that leads to security problems?   One of the unfortunate results of
this ill-advised practice of the software industry is a plethora of
security vulnerabilities. The only solution is appropriate legislation.
(Schmidt) We still have humans developing software. I am sure ALL of
the vendors (including the open source Linux developers) would love to
reach perfection in coding. If you know of any coders who are perfect,
I would be happy to look at hiring them.
(Murray) I have to come down with Howard on this. It sounds as though
Gene is suggesting that we legislate perfect software.  Be careful what
you ask for and the words that you use to ask for it.  Having spent
five years of my career in development, I am impressed that, given the
quantity of code that we ship and the number of users and uses that
it must satisfy, the quality is as good as it is.  I am satisfied
that we do a far better job of building code for the market place
than we ever did building bespoke code for the enterprise.
(Paller) A compromise, perhaps. To avoid reactive legislation, the
vendors could take a leadership role by automating the updating and
patching process and take responsibility for delivering the latest
(completely patched) version to each new customer.  The Linux vendors
will probably be first because it will demonstrate the security
advantage of their software over Microsoft, but one can only hope
Microsoft will see the opportunity to better serve its client base,
as well. Microsoft managers appeared surprised when I told them last
week that many users would gladly pay 20 to 30% of the price of the
software each year if Microsoft would take responsibility for patching
the code as AOL does for its 20 million users.  IBM's updating service
is one of the key reasons that large companies feel safe in buying
from IBM. If you work for a medium to large company or government
agency and use Microsoft products on a large number of computers,
please send an email to sansro at sans.org (subject: MS patches) telling
us what percentage of the product price you would be willing to pay
Microsoft, each year, for active updates of security and hot fixes.]

/Vladimir
vkatalov at elcomsoft.com