On Tue, Jun 3, 2014 at 6:06 PM,
... Your proposal [building meaningful security in from the start] would cause 99% of software currently in use to be rejected and make the development costs increase as astronomically as to be compared to medical research.
1% making the cut is a far too generous estimate, perhaps 1% of 1%. as for the cost issue, which must be paid somewhere, you make two assumptions: first, assuming the externalities of insecure systems are simply non-exist-ant. the costs of our pervasive vulnerability are gargantuan, yet the complexity and cost of robust alternatives instills paralysis. (this lack of significant progress in development of secure systems feeds your defeatist observations; it's ok ;) second, that the schedules and styles of development as we currently practice it will always be. if you solved a core (commodity) infosec problem once, very well, in a way that could be widely adopted, you would only need to implement it once! (then spending five years and ten fold cost building to last becomes reasonable) for now, it appears stasis and external costs are the status quo. the future, if here at all, is clearly not yet widely distributed... best regards,