Message du 04/06/14 05:40 De : "coderman"
On Tue, Jun 3, 2014 at 6:06 PM, wrote:
... Your proposal [building meaningful security in from the start] would cause 99% of software currently in use to be rejected and make the development costs increase as astronomically as to be compared to medical research.
1% making the cut is a far too generous estimate, perhaps 1% of 1%. as for the cost issue, which must be paid somewhere,
you make two assumptions:
first, assuming the externalities of insecure systems are simply non-exist-ant. the costs of our pervasive vulnerability are gargantuan, yet the complexity and cost of robust alternatives instills paralysis. (this lack of significant progress in development of secure systems feeds your defeatist observations; it's ok ;)
I kind of feel like an ant looking at the task of moving a mountain.
second, that the schedules and styles of development as we currently practice it will always be. if you solved a core (commodity) infosec problem once, very well, in a way that could be widely adopted, you would only need to implement it once! (then spending five years and ten fold cost building to last becomes reasonable)
Yah no, we never know when a problem is really solved. We may consider it solved, then someone comes and breaks it for us. Not even formal proofs stand forever.