On 7 Jun 2001, at 20:46, Paul D. Robertson wrote: > On Thu, 7 Jun 2001 mht@clark.net wrote: > > > >> Ahem, actually lack of quality assurance testing in software and > > hardware is the biggest threat out on the Internet today. According to > > some there hasn't been a new intrusion introduced into the wild except some > > type of exploit in code that the original programmers did not catch during > > their "extensive" QA process especially those folks located in the Pacific > > Northwest. > > How isn't that covered in: > > "making software vendors produce more secure systems?" > > :-P > > Paul I submit that it "isn't covered", in that *QA* is not the place to insert security or reliability into the product. You get much better effectiveness if it goes into (a) the design, and (b) the tools used to implement -- which are somebody's products in their own right. The fact that QA *cannot* find every buffer-overflow in a program is no excuse for people to be still writing code with exploitable buffer overflows in it in 2001. David Gillett - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]