ryanlrussell: Vulnerability Pimps
Some very interesting commentary which follows on from a posting on Marcus Ranums site here which is in itself very interesting..
All good stuff if your interested in Software security but the piece that caught my eye is right at the end of the comments section
I'm hearing from the vulnerability pimps that, yes, code security is improving. They are reporting that it's much harder to find a remote hole in the current operating systems.
So security on operating systems is getting better... not really a surprise given the battering they've had and the level of resource that people like Microsoft are putting into it.
But... reckon that the hackers will go home now ? Of course not, they'll move on and I reckon that the place they'll go is all those other software applications that people install on their systems that come from vendors who maybe haven't woken up to the necessity of secure coding.
Sure it'll be harder for hackers to get coverage on as many systems 'cause there aren't all that many software monopolies out there, but I'm sure that's where they'll go.
So a good time to be asking the suppliers of all your applications what they do about software security. Do they do security code audits? what tools to they use for those audits? Have all their developers had secure development training?