tqbfat_private wrote: | I submit that it is likely that we will find bugs in switches, because | switches are performance-enhancing devices that are not (AFAIK) designed | with security as a priority. I submit it is unlikely that we will find a | bug (easily) in any given application gateway firewall. I refer you to the encrypting srvio.c that was the export controlled part of the FWTK for three years before a replay attack was corrected. The amount of real review of source thats done is pathetically low. Doing internal code reviews pays for itself very quickly by finding problems that are not found by other parts of the testing process. Where I did my first review work, we routinely found, and prevented deployment of security bugs, any one of which would have cost more in staff time to clean up than all the reviews we ever did. I won't get into the cost of bad publicity for the company. Its been very clear to me when I've done reviews as a contractor that some of the code has never been seen by anyone other than the author. This was for a well known and respected security company. Adam -- Just be thankful that Microsoft does not manufacture pharmaceuticals.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:50 PDT