With the release of the adobe vulnerability that many of us have written about there is a renewed debate on software security. Many, including myself, have been calling for software vendors or be more diligent in ensuring that their code is secure before it is released. Unfortunately, most of this has fallen on deaf ears.
Ravi Char has a good post on the adobe issue at his site here. I agree that the problem falls solely with the vendors. They MUST do more to secure their code before it hits the shelves (or ftp server). They need to spend more time on secure coding, code review, and vulnerability testing while still in the house. If they do so they will spend less time writing and issuing patches.
There has been talk of holding vendors liable for sloppy code. I know that there are lots of problems with doing this. Determining exactly what is "sloppy" code, was it affected due to poor deployment procedures, what else happened to allow the exploit to occur... and on and on. Not to mention the whole issue of those who write and distribute software for free. Something like this would severely restrict what they could do.
I don't have an answer beyond us, as consumers, have to keep on the vendors and demand changes. We blog about sloppiness, laziness and just plain bad practices. We let the vendors know when and why we are unhappy. We let them know that they are not the only option and if it comes to it we move to a new platform. Adobe isn't the only pdf vendor out there. They are the "Big Boy", but there are other options. This hold true for most all types of software. There are very few applications that are the only guy on the block. It's a good idea to know what options are out there so when a vendor is unresponsive and irresponsible we can move on.
Security's Everyman
Tuesday, January 09, 2007
Secure Software
Posted by Andy, ITGuy at 7:05 AM
Labels: adobe flaw, information security, ravi char
Subscribe to:
Post Comments (Atom)
1 comment:
I mentioned this on my predictions for 2007. They need to spend more time to make their code secure but they don't have that time. They want to hit the shelves (or ftp servers) first. And whatever goes out there is not likely to be secure, just first.
Post a Comment